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Hyper-V Replica 
for Disaster Recovery 

An inexpensive solution 
for small and medium businesses 


L iving in Texas at the bowling pin end of Tornado Alley, I’ve 
always been conscious of what would happen to my data should 
a disaster drop down from the sky. Before cloud-based backups, 
I did my own offsite backups by copying my Windows Home Server 
data to a large USB drive that I toted to my karate do jo and stored in a 
locked cabinet. Real businesses have more strict objectives, however. 
In the months of reconstruction taking place on the East Coast in the 
wake of Hurricane Sandy, IT departments up and down the coast are 
thinking about disaster recovery . How can they provide some degree 
of business continuity the next time wind and water invade their 
company? If you’re using Hyper-V for server virtualization, Windows 
Server 2012 has a feature you should immediately have a good look 
at: Hyper-V Replica. 

Hyper-V Replica provides the ability to take a virtual machine (VM) 
on one Windows Server 2012 Hyper-V host and create a loosely cou¬ 
pled replica on another Windows Server 2012 Hyper-V host. “Loosely 
coupled” means the replica is not tightly in sync with the source; 
the latency is approximately five minutes or so when the replication 
channel is working correctly. With this replica in place, if the source 
VM fails with no warning, you can bring the replica online and have a 
very slightly older version available to customers almost immediately. 
If you have time to gracefully shut down the source VM and replicate 
its delta to the offsite replica, the failed-over VM will be identical to 
the source. 
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Living in Texas at 
the bowling pin 
end of Tornado 
Alley, I've always 
been conscious of 
what would 
happen to my data 
should a disaster 
drop down from 
the sky. 


This approach sounds like a great idea, but the feature won’t be of 
much use if it has stringent infrastructure requirements. One of the 
major benefits of Hyper-V Replica is that it doesn’t have any depen¬ 
dencies on storage or network infrastructure. One end can have SAN 
storage with 10 Gigabit Ethernet, the other a standalone Hyper-V host 
with direct attached storage on a 100Mb network. What does the solu¬ 
tion require? Two Windows Server 2012 Hyper-V hosts and network 
connectivity between them. That’s pretty much it. Hyper-V Replica is 
specifically designed to work over high-latency, restricted bandwidth 
networks such as WAN circuits to branch offices so you can easily 
configure replication across the data center, campus, or country. 

You’re probably already thinking of ways you could use Hyper-V 
Replica. Offsite replication of a VM to another location is certainly 
the primary scenario Microsoft designed the feature for; this location 
could be another site within the company, or at a hosting provider, 
or even an IaaS cloud. A good small business example would have a 
business’s VMs replicated to their IT provider’s own network or data 
center, so in case of a disaster (or if the small business owner acci¬ 
dently breaks his own VM), a replica will keep the business running. 
You can also use Hyper-V Replica for planned failover if you’re doing 
host maintenance and don’t have a requirement for continuous avail¬ 
ability during the maintenance window. 

Hyper-V Replica works by first taking a shadow copy of the VM 
image and transferring it to the replica host. After this setup, the VM 
is kept up-to-date by copying a Hyper-V replica log hie containing the 
VM’s writes to the replica’s host, which applies it to the VM (which is 
in a shutdown state). As nifty as Hyper-V Replica is, it can’t subvert 
the laws of physics, so it’ll obviously take longer for the initial trans¬ 
fer. There’s an option to perform the initial transfer using external 
media (e.g., a USB drive) so you can sidestep bandwidth limitations 
entirely and, for example, hand-carry the image to your Las Vegas rep¬ 
lica location. (A useful maxim to remember in IT work is a quote by 
Andrew S. Tanenbaum, influential professor and author of the classic 
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book Computer Networks: “Never underestimate the bandwidth of a 
station wagon full of tapes hurtling down the highway. ”) Aidan Finn 
has a nice description of the Hyper-V Replica feature in his blog. 

Hyper-V Replica also works with the free Hyper-V Server 2012 
product. Assuming you’ve taken care of the licensing that Hyper-V 
Server 2012 doesn’t provide for , it’s a feature-complete version of the 
hypervisor. You can have virtualized disaster recovery at essentially 
no cost. 

Hyper-V Replica isn’t designed to replace clustering or Live Migra¬ 
tion. It’s specifically for disaster recovery situations. There’s latency 
between the source and replica VMs of at least five minutes. (You can 
see the actual latency by right-clicking the replica VM, choosing Rep¬ 
lication, and selecting View Replication Health.) Failover is a manual 
procedure, though I suppose you could script it. It’s also not really 
intended to handle large numbers of VMs. 

Microsoft’s SMB organization recently published a blog post by 
WorkITsafe President Steve Rubin , explaining how Hyper-V Replica 
did in fact keep two small businesses available during Hurricane 
Sandy. These customers had recently upgraded to Windows Server 
2012, and when they realized the full extent of what was about to hit 
them in lower Manhattan, they activated Hyper-V Replica and exe¬ 
cuted a planned failover to their IT service provider’s Brooklyn data 
center. Their actions kept their IT infrastructure up, and employees 
were able to access the network and work from home the entire time. 

I think that Hyper-V Replica provides a strong benefit for small 
and medium businesses that need disaster recovery capabilities (and 
don’t we all?) but can’t afford to spend deeply on infrastructure 
and software for highly sophisticated solutions. It’s yet another tool 
in the Windows Server 2012 tool chest that makes the latest ver¬ 
sion of Windows Server such a compelling product for companies 
of all sizes. For a more detailed discussion of Hyper-V Replica, see 
“Configuring Hyper-V Replica in Windows Server 2012.” ■ 

InstantDoc ID 145026 
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Building Communications Networks 
to the Highest Standards 


Delta Systems, part of the largest nationally owned IT company in Hungary, won the HP-Microsoft 
Frontline Partner (FTP) of the Tear 2012 award for unified communications and collaboration. 
The availability of a communication network and the quality of its services are critical to a compa¬ 
ny’s business objectives. D rawing on more than 25 years of experience, Delta Systems endeavours to 
maintain the availability of its clients’ networks at the highest possible level. Delta Systems experts 
offer the most appropriate communication options, from the design of structured networks to the 
enhanced level of servicing for the constructed systems. Iti fashioning its poi'tfolio, Delta Systems has 
endeavoured to meet the demands of clients to the highest standard possible, efficiently assembling the 
various elements of communication technology. 


n 2010, when Microsoft and HP announced 
that they were combining resources to 
develop a vendor-driven program that 
would allow vendors of both compa¬ 
nies’ products to deliver appliance-like 
turnkey solutions to common business 
problems it seemed as if this type of 
collaborative solution might be able to 
address many situations. But deliver¬ 
ing solutions that utilized the HP-Microsoft 
Infrastructure to Application (I2A) model 
would require vendors who had deep techni¬ 
cal understanding of Microsoft infrastructure 
and management technologies—as well as 
experience and success in delivering Microsoft 
applications and collaborative workflow envi¬ 
ronments to their customers. 


Being able to demonstrate this broad level 
of competency and technical effectiveness 
led to Delta Systems’ recognition as the HP- 
Microsoft Frontline Partner of the 
Year 2012. Combining HP hardware 
and software solutions with Microsoft 
collaborative workflow and unified 
communications server software tech¬ 
nologies has allowed Delta Systems to 
deliver effective and efficient solutions. Deliv¬ 
ering end-to-end solutions that incorporate 
everything from the cable plant to storage to 
collaborative solutions enables Delta to meet 
the broad range of their customer’s needs. 

With long experience implementing solu¬ 
tions that utilized Microsoft Windows Server, 
Exchange Server, SharePoint and what is now 


innovation 3 

frontline partner of the year 








the Microsoft unified communications solu¬ 
tion, Microsoft Lync, Delta Systems was well 
positioned to take advantage of the collab¬ 
orative efforts of Microsoft and HP. Building 
and deploying enterprise-wide unified com¬ 
munications and workflow collaboration 
environments is no trivial task, even with 
the collaborative efforts of HP and Microsoft 
building solutions targeted at just that set of 
problems—for example, the HP E5000 Mes¬ 
saging System for Microsoft Exchange Server, 
one of the first of the appliance technologies 
to appear from the HP-Micro- 
soft collaboration. This solution 
is delivered pre-configured and 
uses the best practices for deploy¬ 
ment and use architectures from 
both Microsoft and HP. 

That integration isn’t just on 
the software side of this: With 
HP BladeSystems and ProLiant server tech¬ 
nologies, the integration of HP Insight systems 
management software with Microsoft Sys¬ 
tem Center, advanced connectivity with HP 
ProCurve switching technologies, and inte¬ 
gration of HP 3PAR storage, Delta Systems 
is able to deliver a fully integrated solution 
that supports critical technologies such as on- 
demand provisioning of servers and storage 
and rapid deployment and provisioning of mes¬ 
saging and collaborative software applications. 
Microsoft continues to work on simplifying the 
deployment of the collaborative workflow solu¬ 
tions, and implementing SharePoint 2010 in 


conjunction with the HP-Microsoft I2A appli¬ 
ances allows Delta Systems to more rapidly 
implement custom collaboration and mes¬ 
saging solutions tailored to their customers’ 
business needs. 

The existing expertise with Microsoft collab¬ 
orative solutions and email and HP servers and 
storage technology makes taking advantage 
of the HP-Microsoft I2A technologies a natu¬ 
ral fit. The shared technology development 
between HP and Microsoft has meant that cus¬ 
tomers have been able to take advantage of 
world-class R&D when deploy¬ 
ing their platforms, from mobile 
through enterprise, and effec¬ 
tively utilize a turnkey approach 
to delivered enterprise applica¬ 
tions in many scenarios. 

By combining their core com¬ 
petencies, it has been possible for 
Delta to design, deliver, and support unified 
solutions that make the most of Microsoft and 
HP technologies. The integrated solutions, and 
the service and support necessary to fully utilize 
them has, in turn, enabled their customers to 
look to building their businesses and not worry 
about their IT infrastructures. The HP-Micro- 
soft partnership with Delta has resulted in the 
delivery of business solutions that streamline 
business processes, increase business efficiency, 
deliver information whenever and wherever 
needed, and meet the changes and challenges in 
the business environment that allow a business 
to maintain a competitive business advantage. 
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Microsoft’s Transformation: 
Software Giant to Devices 
and Services Maker 



Paul 

Thurrott 


is senior technical analyst for 
Windows IT Pro. He writes the 
SuperSite for Windows , a 
weekly editorial for Windows 
IT Pro UPDATE , and a daily 
Windows news and 
information newsletter 
called Winlnfo Daily UPDATE . 

Email 

Twitter 

Website 



W ith the launch season for Windows 8 , Windows Server 2012 , 
Windows Phone 8, and Microsoft Surface finally behind us, 
I’m looking ahead to the next steps in Microsoft’s bold trans¬ 
formation from software giant to, in its words, a maker of devices and 
services. The firm is often derided for not moving quickly enough—to 
be honest. I’ve taken a few spins on that bandwagon myself—but 
that’s certainly not the case now. Indeed, I’m wondering whether 
Microsoft’s customers are moving in the same direction, let alone at 
the same speed. 

To recap, Microsoft’s traditional approach to delivering software 
platforms is no more, or at least is on the way out. Although it will 
continue to offer on-premises and hybrid solutions until enough of its 
customer base has moved to the cloud, make no mistake: The future, 
as Microsoft sees it, is in the cloud, in online services. And it’s racing 
to get to that future. 

The year 2012 was a time of great transition, and Microsoft’s recently 
launched products all play a role in getting from the past (software) 
to the future (services). In 2013, the release of Office 2013 and, as 
important, the next Xbox, will seal the deal and mark the inflection 
point after which all of Microsoft’s major platforms, moving forward, 
will be online services-based. Are you ready for this transition? 

Devices and Services 

To understand the depth of this change, let’s examine what kind of 
company Microsoft says it will be, and how its products today and in 
the near future match its aspirations. The firm spelled out its plans 
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in an October 2012 letter to shareholders, customers, partners, and 
employees. In the letter, CEO Steve Ballmer plainly stated that Micro¬ 
soft is now a devices and services company and that this “fundamen¬ 
tal and significant shift” will be the company’s greatest opportunity 
for the future. 

Both halves of this identity are somewhat confusing. Microsoft 
makes very little in the way of devices today, obviously, and it only 
recently launched its first-ever computer device, the Surface line of 
tablets. And although Microsoft certainly has a long history of offer¬ 
ing services, this is one of the few areas of the company that has 
never taken off financially: Its Online Services Division has pretty 
much always posted a quarterly operating loss. Clearly a plan for the 
future doesn’t involve emulating that level of success elsewhere in 
the company. 

Microsoft As Device Maker 

From a devices perspective, Microsoft today makes the Xbox 360 con¬ 
sole; it will replace that with what’s expected to be a mobile device— 
the new Xbox, in late 2013. That Xbox will bring the extensibility of 
the Windows Store and Windows Phone Store to the living room and 
connect to an ever-widening array of online services, hints of which 
can be seen today in the current console. 

Microsoft entered the PC market in 2012 with its Surface with Win¬ 
dows RT device and a second model, Surface with Windows 8 Pro, 
which launch in late January 2013 (as of this writing). Ballmer said 
that Microsoft plans to expand the line with more Surface devices 
through 2013, and although some recent rumors of potential Surface 
devices are a bit farfetched, it wouldn’t surprise me to see Microsoft 
expand into Surface-branded touch-based Ultrabooks and all-in-one 
PCs next year. 

The Surface mission is important, I think, to Microsoft’s future. 
This isn’t about Microsoft competing with its partners—it’s about 
Microsoft reclaiming Windows for itself and offering a purer version 
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of its platform to customers than its partners were willing or able to 
do. Surface will, one hopes, inspire a change in these partners, and 
the underlying vision—simplicity, modeled on what Apple has been 
doing for years—is a good one. And Microsoft is clearly willing to go 
it alone if the partners don’t get the message. 

These simpler device types are a hallmark of the “devices and ser¬ 
vices” mantra at Microsoft. There’s a reason Microsoft uses the word 
“devices” and not “PCs.” PCs are, of course, a type of device, but the 
future that Microsoft believes will unfold is one in which the hard¬ 
ware is much simpler, with a smaller on-disk footprint and greater 
reliance on online services. It is, in other words, a future that’s much 
more like the smartphones and tablets of the past few years and a lot 
less like traditional PCs. 

This vision is why we now have Windows RT—an ARM-based 
version of Windows 8 that foregoes compatibility with classic desktop 
applications and much hardware—and Windows Phone 8, a platform 
that could just as easily have been called Windows 8 Phone. Indeed, 
Windows Phone 8 and Windows RT have as much in common as do 
Windows 8 and Windows RT: They’re designed to run on the efficient 
ARM chipsets used by devices, not PCs. 

If Microsoft is truly successful in this transition—and, yes, I do 
think it will be—the mainstream Windows of the future will run on 
ARM, not Intel, or on ARM as well as an Intel platform that looks sus¬ 
piciously like ARM and offers the same power management benefits. 
The recently launched Intel Atom processor Z2760 (formerly code- 
named “Clover Trail”] chipset is a System on Chip (SoC) design that 
offers a peek at this coming future. 

From Software to Services 

While devices are getting simpler—or “dumber,” from the critic’s 
standpoint—the services that will form the true heart of the over¬ 
reaching platform are getting much more sophisticated. Part of this 
is simply due to the passage of time: Broadband access is becoming 
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more pervasive, and these solutions have evolved to offer elegant 
device-syncing capabilities for offline use, while more of Microsoft’s 
traditionally delivered software is heading to the cloud in the form of 
online services. It’s a perfect storm. 

What’s interesting about this change is that even Microsoft’s core, 
traditional platforms are increasingly being offered in pure or hybrid 
cloud services forms and are being serviced as if they were online ser¬ 
vices. Consider the differences between Windows 7—the latest and 
last traditional Windows version, one that can trace its lineage back to 
the first DOS-based version of Windows from 1985—and Windows 8 
and Windows RT. 

Users received Windows 7 as they did previous versions, with those 
not buying new PCs acquiring the software via a traditional retail 
package and disc. Windows 7 was likewise serviced in the same way 
as previous Windows versions, using service packs (well, one service 
pack, since Microsoft switched gears during Windows 7’s lifetime) 
and various cumulative and standalone updates. 

Windows 8 can be acquired in old-fashioned ways, since we’re in 
the beginning stages of a transition. But it can also be acquired via an 
online service that combines Windows Setup with Upgrade Advisor, 
Windows Easy Transfer, and other tools, to give users the simplest, 
fastest, and most reliable upgrade experience yet. And Windows 8 will 
not be serviced like traditional software was, with service packs and 
other old-school updates. Instead, it will be updated like an online 
service, with a regular series of incremental updates that will include 
new features, as well as bug and security fixes. 

Windows RT, meanwhile, is essentially part of an appliance: You 
can acquire this software only with new, Windows RT-based devices. 
As a member of the Windows 8 family, it, too, will be serviced on the 
same schedule as Windows 8. 

I wrote about Server 2012, Windows Azure, and Microsoft’s strategy 
for the cloud last month in “ Microsoft’s Cloud OS: A Vision of Infra¬ 
structure’s Future .” The basic strategy is the same: to take previously 
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traditionally delivered software solutions and adapt them for the 
cloud. For example, Microsoft Visual Studio is a heavy Windows appli¬ 
cation, one that runs only on traditional Windows versions, but the 
latest version, Visual Studio 2012, is already being serviced like an 
online service and will be updated regularly going forward. I suspect 
future Visual Studio versions will become more service than applica¬ 
tion, solutions that can be run, perhaps, through a web browser. It’s 
not hard to imagine a web-based version of Visual Studio that could 
still target locally attached devices for app testing. 

On the Office front, Microsoft planned (as of this writing) to formally 
launch the next Office 365 and Office versions in late January, usher¬ 
ing in the same transformation for its most popular software lines ever. 
Office is making the transition to both online service and subscription 
service, and the software suite will offer far more compelling licensing 
terms to end users, letting them install the applications on up to five 
devices, which can include Windows PCs and Windows RT devices, 
but also Android and Apple iPad tablets by mid-2013. 

This is where Microsoft’s emphasis on devices and services gets 
interesting. While the one-time software giant is clearly offering its 
own trend-setting hardware designs, it is also racing to adapt its most 
relevant platforms to the most successful hardware platforms made 
by competitors—Apple’s iOS and Google’s Android. So you’re going 
to see such things as Office and Office servers interacting natively 
with these devices courtesy of Microsoft-made apps. The SharePoint 
team has two iPad apps coming out soon, for example. And we’re 
already seeing explicit support on iOS and Android for Xbox interac¬ 
tivity (Xbox SmartGlass), Xbox Music and Video, SkyDrive, Hotmail 
and Outlook.com, Skype, Bing, and MSN. Much of Microsoft’s plat¬ 
form stack is heading to whatever devices make the most sense to 
use it with. 

In fact, I think interoperability is the hidden promise of Microsoft’s 
new vision, for both devices and services. The company hasn’t said 
much about this yet, because it’s still early in the transition, and many 


14 Windows IT Pro / February 2013 


WWW.WINDOWSITPRO.COM 



Need to Know 


are still freaked out over what might seem like a fairly impetuous 
change. But the future is going to be a lot more heterogeneous. 

What Microsoft's Transition Means to You 

Now, let’s talk about the final piece in this puzzle: Microsoft’s custom¬ 
ers. It’s not hard to imagine that many rank-and-file Microsoft admins 
and IT pros out there aren’t too thrilled with this transition. But one 
thing that Microsoft has always done well is bring customers forward. 
Just as the company will support hybrid environments of both on¬ 
premises and hosted solutions for the foreseeable future, it will also 
let those who manage Microsoft-based systems bring their skills for¬ 
ward. Today’s expertise in Active Directory (AD), System Center, and 
Exchange ActiveSync will map nicely to the management solutions of 
the future, just as an understanding of on-premises SharePoint will 
help in the transition to SharePoint Online. It’s a continuum. 

With Microsoft speeding so quickly to this future, however, it’s 
pretty clear many are going to feel left behind. There’s going to be a 
divide between the haves and have-nots as certain new functionality 
is provided only in the preferred, online services versions of certain 
technologies. On the surface, this might seem like any other transi¬ 
tion, such as the move to 64-bit systems that caused a drop-off in new 
32-bit Microsoft server products. But in this case the effects will be 
more far-reaching because they will occur across the Microsoft stack. 

I believe this is going to happen faster than many will be comfortable 
with. Ultimately, I return to the conversations I’ve had with IT pros at 
the past few Microsoft TechEd conferences, conversations that were 
triggered by early fears of cloud computing and job loss. Those who 
entered this held did so knowing that technology would always change 
and improve and that their careers would continually evolve as well. 
With this incredible transition, Microsoft is ensuring that your career is 
going to be more interesting than ever in the coming year. I guess you 
could view that as good news or bad. ■ 
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Here's how to turn those tweaks into power tools 
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L ast month, in “ Doubling Up Active Directory PowerShell Cmdlets ,” 
I showed you how to start building useful PowerShell tools, 
such as the familiar one-liner that lets you find everyone who 
hasn’t logged on in a certain number of days and disable those users’ 
accounts. As I’ve said before, such one-liners use the “filter/hammer” 
approach, whereby you use one command ( search-adaccount ) to filter 
out the users you want (people who haven’t logged on in so many 
days) and then perform some kind of task, which in this case was to 
run the disable-adaccount cmdlet. It took a fair amount of time to learn 
those first few PowerShell cmdlets, but much of that time was taken 
up by learning PowerShell itself, so we should be able to move along 
more quickly now. 

Last time, I introduced you to disable-adaccount, a cmdlet that gen¬ 
erally requires only one parameter: the name of the account to dis¬ 
able. (There are other parameters, but you generally won’t need to 
know them for a while, if ever.) It’s the same story for a bunch of 
other tools, including a few that will be pretty self-explanatory: 

• Enable-adaccount— This command enables a disabled account. 

• Unlock-adaccount— This command unlocks a locked account. (See, 
I told you PowerShell would get more intuitive with practice.) 

• Clear-ADAccountExpiration —It’s possible to put a characteristic 
on an Active Directory (AD) account that instructs it to expire on 
a certain date. This command clears that characteristic. 


In case you’re wondering, there’s no lock-account command. As before, 
you can use any of these commands in a one-off fashion, as in: 


16 Windows IT Pro / February 2013 


WWW.WINDOWSITPRO.COM 







Windows Power Tools 


enable-adaccount PatriceM 
unlock-adaccount EdDantes 

Of course, there’s nothing wrong with using these “hammer” cmdlets 
on their own, but they become more interesting when they’re mated 
with a filter. For example, suppose some local glitch locked a bunch 
of accounts in the Librarians OU in bighrm.com. You can unlock 
them all with 

get-aduser -f * -searchbase "ou=librarians,dc=bigfirm,dc=com" 

| unlock-adaccount 

Or perhaps you’ve learned that some miscreant has set a bunch of 
account passwords to “never expire,” and until you get to the bottom 
of the matter you’d like to disable those accounts: 

search-adaccount -PasswordNeverExpires | disable-adaccount 

However, before you execute this command, you might want to pause 
and consider this column’s key phrase: “power tool.” As with real 
power tools (e.g., band saws, nail guns), Windows power tools can 
do great good with little effort, but when you apply them inatten¬ 
tively, they can cause quite a bit of regret. Wording that one-liner 
differently, as in 

get-aduser -f * | disable-account 

would turn “just another day at the office” into a scene of weep¬ 
ing, rending of garments, and gnashing of teeth. So please heed my 
advice: Test your filters before attaching the hammers. More specifi¬ 
cally, in our example, use caution and first type 

search-adaccount -PasswordNeverExpires 
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without disable-adaccount. You might see that there are plenty of 
innocent accounts whose passwords never expire, and that what you 
really want is 

search-adaccount -PasswordNeverExpires -usersonly 

For this reason, I make a habit of running just the “filter” command 
first. If the results are huge, I can manage them by piping the output 
of that into | out-gridview, PowerShell’s nice “data grid” control that 
presents output in a spreadsheet-like manner. 

Another way to add safety to a home-grown PowerShell power tool 
is to add -confirm. Pretty much every “hammer”-type command I’ve 
come across offers this parameter, so although get-aduser wouldn’t 
have it, unlock-adaccount would. In the example above, the careful IT 
pro might choose to exercise a little caution the first time by adding 
these training wheels, as in 

search-adaccount -PasswordNeverExpires -usersonly 
| disable-adaccount -confirm 

I said that -identity is the parameter you’ll most usually employ, but 
the four “hammers” I’ve talked about share a few other parameters 
that you might need now and then. My examples have assumed that 
I’m logged on to PowerShell as a domain administrator, already pos¬ 
sessing the power to shift the fates of a domain’s denizens, but you 
can certainly imagine situations in which that might not be the case. 
In those situations, you’d just add the parameter -credential (get- 
credential), which causes PowerShell to pop up a logon dialog box. 
I’ll show you more uses of get-credential as I dive deeper into AD 
administration. See you next time! ■ 
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Windows 8 Enterprise 
Features 

See how Windows 8 meets the needs 
of large organizations 


A lot has been made recently about how Windows 8 , with its 
new touch interface, is oriented more toward consumers 
than toward businesses. I think it’s clear that Microsoft’s 
primary push behind Windows 8 has been toward the consumer, 
but that doesn’t mean Window 8 features for enterprises are any 
less compelling. Here are the top 10 Windows 8 features for large 
organizations. 

(10) Windows 8 Enterprise edition — Windows 8 Enterprise is 
the edition that’s focused on the needs of larger organizations. All 
the features listed in this column are available in Windows 8 Enter¬ 
prise. If you’re interested in a more complete breakdown of the fea¬ 
tures in the different Windows 8 editions, check out Paul Thurrott’s 
excellent article “ Windows 8 Secrets, Beyond the Book: Guide to 
Product Editions.” 
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( 9 ) DirectAccess — First introduced in Windows Server 2008 and 
Windows 7, DirectAccess is a feature that lets remote users access 
resources inside their corporate networks without having to launch a 
separate VPN. DirectAccess makes it easier for users to connect to 
their corporate networks and for IT departments to keep remote sys¬ 
tems in compliance with the latest policies and software updates. In 
Windows 8, the DirectAccess feature can be deployed with an IPv4 
infrastructure. 
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Windows 8 now 
supports maximum 
memory 
configurations that 
were formerly only 
in the realm of 
servers. 


(8) BranchCache — BranchCache, introduced with Windows 7, 
lets branch office servers or local PCs cache files and other content 
from remote servers. The Windows 8 implementation of BranchCache 
streamlines the deployment process and optimizes bandwidth over 
WAN connections. 

(7) AppLocker — Another Windows 7 enterprise feature that made 
its way into Windows 8, AppLocker lets you specify which users or 
groups can run particular applications in your organization based on 
unique identities of files. When you use AppLocker, you create rules 
to allow or deny applications from running. Windows 8 AppLocker 
can restrict Windows 8 apps and regular desktop applications. 


(6) RemoteFX — RemoteFX in Windows 8 and Windows Server 
2012 provides support for remote touch and USB devices. RemoteFX 
provides host-side rendering of graphics-intensive workloads and is 
important for supporting rich virtual desktop infrastructure (VDI) 
environments. Windows 8 RemoteFX multi-touch lets you run Win¬ 
dows 8 desktops in a VDI environment with complete support for the 
new touch-enabled UI. 


( 5 ) Secure Boot — The Windows 8 Secure Boot feature prevents 
unsecured OSs from loading during the start-up process. The Secure 
Boot feature takes advantage of the Unified Extensible Firmware 
Interface (UEFI) to store certificates that identify secure OSs that can 
load during the boot process, preventing malware such as rootkits 
from loading when the system boots up. 

© BitLocker — BitLocker was introduced with Windows Vista, but 
it was restricted to the Enterprise edition and above. With Windows 8, 
BitLocker support is now in both the Windows 8 Professional and 
Enterprise editions. The new version can protect system drives and 
removable drives, as well as Cluster Shared Volumes and SAN storage. 
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( 3 ) Windows To Go — All new with Windows 8, the Windows To 
Go workspaces feature lets you create a bootable and fully manage¬ 
able Windows 8 desktop on a USB drive. When you boot a system 
with a Windows To Go USB drive, that system’s internal hard disks 
are taken offline—any Trusted Platform Module (TPM) is not used, 
hibernate is disabled, and the Windows Recovery Environment 
(Windows RE) is not available. You can enable BitLocker protection 
for a Windows To Go workspace. 

© Scalability — Windows 8 supports maximum memory configu¬ 
rations that were formerly available only in the realm of servers. 
Windows 8 Core supports up to 128GB of RAM on the x64 platform. 
Windows 8 Professional and Windows 8 Enterprise both support up 
to 512GB on the x64 platform. The x86 versions of Windows 8 sup¬ 
port a maximum of 4GB of RAM. Windows 8 supports a maximum 
of two physical CPUs, but the number of logical processors or cores 
varies based on the processor architecture. A maximum of 32 cores 
is supported in 32-bit versions of Windows 8, whereas up to 256 
cores are supported in the 64-bit versions. 

© Client Hyper-V — Apart from the UI changes, the most signifi¬ 
cant enhancement in Windows 8 is its support for Client Hyper-V. 
The Windows 8 Professional and Enterprise editions provide the 
same hypervisor technology that’s in Server 2012. Client Hyper-V 
requires a minimum of 4GB of RAM and support for Second Level 
Address Translation (SLAT). With Client Hyper-V, you can move vir¬ 
tual machines (VMs) between Server 2012 and Windows 8 Hyper-V. 
Windows 8 Client Hyper-V is also laptop-friendly: Closing the lid to 
your laptop and putting it to sleep causes Client Hyper-V to save the 
state of all your running VMs. ■ 
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Insights from Gartner Identity 
and Access Management 
Summit 2012 

Inflection points, standards, and you 
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I n early December 2012, I attended Gartner’s annual Identity and 
Access Management Summit in Las Vegas, and it was interesting— 
exciting, actually—to see how much has changed since last year. 
The most obvious difference from 2011 was the popularity of the con¬ 
ference. The 2011 conference fit comfortably into the conference area 
of the Sheraton San Diego, a regular-sized hotel on the city’s water¬ 
front. In 2012, it was held in the Caesar’s Palace conference center, 
where the much broader-interest Data Center conference was held in 
2010. (I can’t really say the conference has “moved up” to Caesar’s; 
I’ll trade sea air for cigarette smoke any day.) The keynote ballroom 
was double the size of the 2011 conference, and it was comfortably 
full. Tellingly, when Gartner Managing VP Chris Howard asked for a 
show of hands of first-time attendees, fully 75 percent of the people 
in the room responded. From this. I’d deduce that IT pros and their 
managers are getting management attention on the need for Identity 
and Access Management (IAM) guidance—certainly enough to get 
approval to attend a premium conference on the subject! 


Trends Revealed 

The rapid rise of interest in identity management as a service (IDaaS) 
continues , with more vendors offering single sign-on (SSO) capabilities 
to hundreds of Software as a Service (SaaS) applications with federation 
for sites that support it and password vaulting for the rest. In the clos¬ 
ing session, Gartner Research VP Ian Glazer remarked that there was an 
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“incredible force to move federation to the cloud,” and that the percep¬ 
tion of this architecture had changed dramatically in just a couple of 
years, from an interesting outlier solution to one that many enterprises 
are seriously considering and implementing. Analyst Earl Perkins stated 
at the Garner Catalyst Conference 2012 several months ago that Gartner 
predicts 40 percent of all IAM sales by 2015 will go to IDaaS solutions. 

IAM is assuming a new role in business. Business people (who are, 
after all, the customers) are now becoming more involved in IAM 
projects (compared, in the past, with only IT) and are influencing 
the choices. A major theme for the conference was Gartner’s concept 
of a “nexus of forces.” Three of these forces— mobility, cloud, and 
business intelligence —came out of a survey about what CIOs are cur¬ 
rently prioritizing. Gartner added a fourth ( social ) because although 
survey participants didn’t explicitly state social as a priority, many of 
their customer-related goals were in fact social. These forces, Gartner 
believes, support how people want to interact with each other and 
with their information. 

Interest in mobile device management (MDM) has grown consider¬ 
ably; the reality of Bring Your Own Device (BYOD) seemed to have 
settled in with attendees. The complexities of providing mobile device 
access to corporate data without entering a very sensitive Active 
Directory (AD) password, and pushing policies out to those devices, 
demonstrate the need for MDM as well as for better-recognized IAM 
solutions. And as I’ve mentioned before, IAM vendors are moving 
away from providing point solutions and are instead building prod¬ 
ucts (or suites of products) that encompass many different IAM capa¬ 
bilities, theoretically making management of this area a little easier 
and cheaper. My discussions with vendors on the trade show floor 
backed this up, and Gartner analysts are saying the same thing. Many 
vendors are now providing MDM capabilities in their IAM products, 
though the details vary. 

One of the challenges of familiarizing yourself with the ins and outs 
of cloud identity is that it uses a completely different set of protocols 
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and terms than what the enterprise-centric, Kerberos-loving IT pro is 
familiar with. In an effort to educate attendees, in a session titled “New- 
School Identity Protocols Fight for Your Love,” Glazer hosted a panel of 
five experts, each representing a major cloud identity-related protocol. 
(The Twitterverse immediately dubbed it a “protocol smackdown”— 
two words I never expected to see next to each other.) OAuth was rep¬ 
resented by Dick “The Hammer” Hardt , OpenID Connect by Nat “Never 
Surrender” Sakimura , Security Assertion Markup Language (SAML) by 
Paul “Mad Man” Madsen , System for Cross-domain Identity Manage¬ 
ment (SCIM) by Kelly “The Killer” Grizzle , and extensible Access Con¬ 
trol Markup Language (XACML) by David “Boom Boom” Brossard . Each 
panelist was allowed 20 slides at 20 seconds each to present an overview 
of his or her protocol and explain why it was so cool. This presentation 
format is known as Pecha Kucha , and it was originally conceived as a 
concise way to make presentations on design topics such as architec¬ 
ture. In a technical presentation, it can seem like information is blasting 

at you from a firehose, and 
you’re further distracted by 
wondering when the slide 
will change and whether the 
speaker will keep up. But 
this approach did get the 
presentations out of the way 
in 30 minutes, allowing for 
panelists to discuss protocol 
pros and cons among themselves and to answer audience questions. 
An audience vote at the end declared the SAML authentication protocol 
(and the venerable Paul Madsen of Ping Identity) the winner. 

Still in Flux 

Demonstrating that he can speak as well as write, humorist Dave 
Barry gave an entertaining keynote about his knowledge of IAM. 
(Executive summary: He knows nearly nothing.) Barry has given 
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this same routine many times before 
at Gartner events, I suspect; I saw 
him deliver the keynote address at the 
2010 Gartner Data Center conference, 
and he also spoke at the 2012 ver¬ 
sion taking place across the Strip at 
the Venetian on the same day. None¬ 
theless, he’s very funny. My favorite 
quote from Barry’s keynote is, “Cloud 
computing is about keeping the user’s 
data away from their cream cheese. ” 

Cloud identity technology—and 
its associated market—continues to 
mature, but almost all aspects of it are still in flux. At the same time, 
its visibility to mainstream IT is on a strong upswing. IT pros looking 
into cloud identity are finding a very different and, in many respects, 
still unsettled world. One of the best things these professionals can 
do to help settle the dust is to push the SaaS or cloud identity vendors 
they have toward standards featured in the aforementioned smack¬ 
down. It’s customers, with their cash, who have the loudest voices in 
this area. That also is one of the purposes of this cloud identity col¬ 
umn: to inform IT pros and managers about new aspects of identity 
that they’ll soon be responsible for, if they aren’t already. ■ 
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Figure 1 

Hyper-V Replica 
At Work 


T his month, I want to talk about a new feature in Windows 
Server 2012 called Hyper-V Replica. This feature provides asyn¬ 
chronous replication over a network of virtual machines (VMs) 
for the purposes of disaster recovery. If a disaster occurs at a primary 
site, productivity can be quickly restored by bringing up the repli¬ 
cated VM at the “replica” site, as you see in Figure 1. 

One of the first points I want to bring up is that Hyper-V Replica 
is a disaster recovery solution and not a high availability solution. If 
the primary site goes down, manual intervention is needed to get the 
offsite VM replicas up. In a highly available solution (using multisite 
failover clustering), if the primary site goes down, the offsite VMs 
automatically come up without manual intervention. This is a ques¬ 
tion that we get quite a bit, so we wanted to clear up any misconcep¬ 
tions that you might have about what Hyper-V Replica offers. 

Hyper-V Replica will track write operations on the primary VM and 
replicate these changes to the replica server every 5 minutes. The net¬ 
work connection between the two servers uses the HTTP or HTTPS 
protocol and supports both integrated and certificate-based authenti¬ 
cation. So, at any point in time, the “replica” should be no more than 
5 minutes behind. 


Primary Site Replica Site 
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Prerequisites 

Hyper-V Replica is affordable and doesn’t require any complicated 
configurations. As long as both sites are running Server 2012 Hyper-V 
and have network connectivity between the two sites, it’s certainly a 
disaster recovery solution worth considering. Hyper-V Replica is avail¬ 
able only in Server 2012 and not in the client ( Windows 8 ) Hyper-V. 

To take advantage of Hyper-V Replica, you must meet the following 
prerequisites: 

• Your hardware must support the Hyper-V role in Server 2012. 

• Your primary and replica servers must have sufficient storage and 
physical memory to host the VMs. 

• You must have network connectivity between the locations host¬ 
ing the primary and replica servers. 

• Properly configured firewall rules must permit replication between 
the primary and replica sites. 

• You must have an X.509v3 certificate to support mutual authenti¬ 
cation with certificates (if desired or needed). 

Set Up Hyper-V Replica 

To set up Hyper-V Replica, you’ll need to go into the Hyper-V settings 
in Hyper-V Manager. In the right-hand pane of the dialog box that 
Figure 2 shows, you’ll see the Replication Configuration settings once 
it’s enabled. By default, this configuration isn’t enabled. 

You’ll need to enable replication on both servers, and the settings 
need to match. The first option to consider is Authentication and 
ports. You can use Kerberos (HTTP) over port 80 or certificate-based 
authentication (HTTPS) over port 443. These are the default ports, 
but you can change them. If you change the ports, you’ll need to 
change the port numbers in the firewall rule (discussed later). 

The other option is Authorization and storage. This setting deter¬ 
mines which servers will participate in the Hyper-V Replica. It also 
specifies the local folder where the replica hies will reside. You can 
choose any authenticated server or specific servers. If you choose any 
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Figure 2 

Replication 

Configuration 
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Authentication and ports 

Specify the authentication types to allow for incoming replication traffic. Ensure 
that the ports you specify are open in the firewall. 

@ Use Kerberos (HTTP): 

Data sent over the network will not be encrypted. 

Specify the port: | 801 

I | Use certificate-based Authentication (HTTPS): 

Data sent over the network will be encrypted. 

Specify the port: 443 


User 


Specify the certificate: 


Keyboard 

Use on the virtual machine 

Mouse Release Key 

CTRL +ALT +LEFT ARROW 

^ Reset Check Boxes 

Reset check boxes 


Authorization and storage 

Specify the servers that are allowed to replicate virtual machines to this 
computer. 

O Aljow replication from any authenticated server 
Specify the default location to store Replica files: 

|c: VJsersV > ublicpocumentsVHyper-V\Virtual Hard Disks 

O' Allow replication from the specified servers: 



server, you can specify a folder location here. If you choose specific 
servers, the Add button will let you specify a server and folder. 

After you set everything up and click OK, a warning box states 
Inbound traffic needs to be allowed in the Firewall. There are two 
inbound firewall rules that are on a replica server: Hyper-V Replica 
HTTP Listener (TCP-In) and Hyper-V Replica HTTPS Listener (TCP-In). 
Depending on the Authentication and ports selection you make, the 
proper rule to enable will appear in the dialog box. These rules aren’t 
automatically enabled. If you don’t enable the rule, the primary server 
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won’t be able to make the connection to the replica server. If you can’t 
make your connection as a replica, the firewall rule and the replica set¬ 
tings should be what you check first. The proper rule must be enabled, 
and the port it is using must also be configured. So, if you’re using a 
firewall that comes with another product, you need to ensure that the 
port is open. The same will need to be set for any routers or gateways 
between the servers. 

Configure VMs for Replication 

Once you’ve configured the Replication Configuration settings, you 
need to configure the VMs for replication. Hyper-V Replica is on a 
per-VM selection. You can have all VMs or a subset of VMs, but each 
must be configured separately. 

1. On the primary Hyper-V server, right-click the VM and select 
Enable Replication from the drop-down list to start the Enable 
Replication wizard for the VM. 

2. On the Specify Replica Server screen, enter either the NetBIOS 
name or the Fully Qualified Domain Name (FQDN) for the rep¬ 
lica server in the Replica server box, and click Next. 

3. On the Specify Connection Parameters screen, input the port 
to use and the authentication type. As long as Remote WMI is 
enabled, these settings will be filled out for you. Ensure that 
you double-check them, because if they’re inaccurate, you’ll 
receive an error and the replica won’t work. 

4. The Choose Replication VHDs screen will list all the .vhd hies 
that the VM has. You can select the disk or disks that you want 
to replicate for the VM, then click Next. Keep in mind that if 
you need to bring the replica up, any .vhd hies that you didn’t 
select previously won’t appear. If the disk contains data that is 
important for the VM, it won’t be available. 

5. Replication changes are sent to a replica server every hve min¬ 
utes. On the Conhgure Recovery History screen, which Figure 3 
shows, make selections for the number and types of recovery 
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Figure 3 

The Configure 
Recovery History 
Screen 
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points to be sent to the replica server. If you choose Only the 
latest recovery point, only the parent VHD will be sent during 
initial replication and all changes will be merged into that VHD. 
If you choose Additional recovery points, you’ll need to set the 
number of additional recovery points (standard replicas) that 
will be saved on the replica server. 

6. On the Choose Initial Replication Method screen, which 
Figure 4 shows, several methods are available for performing 
an initial replication of the VM to the replica server. The default 
selection is Send initial copy over the network. This option 
starts replication immediately over the network to the replica 
server. If you don’t want to perform immediate replication, you 
can schedule it to occur at a specific time on a specific date. 

If you wish to not have the initial copy sent over the network, 
you can choose Send initial copy using external media. This 


30 


Windows IT Pro / February 2013 


WWW.WINDOWSITPRO.COM 














What Would Microsoft Support Do? 


m 


Enable Replication for Test-R2 


Ji 


Choose Initial Replication Method 


Before You Begn 
Specify Repka Server 
Speofy Connection 
Parameters 

Choose Repkabon WOs 
Configure Recovery History 

Scmmary 


Before repkabon can start, an nbai copy of al vrtual hard risks that you selected must be 
transferred to the Repka server. 

Stt of the ribal copy of selected vrfinal hard risks: 9.8 GB 
Xrktsal Repkabon Method 
• Send r»t»al copy over the network 
0 Send rrtal copy usng external mcria 
Speofy the location to export nbal copy. 

O Use an eustng vrtuai machne on the Repka server as the nbal copy. 

Choose ttxs option >f you have restored a copy of the vwtual madxne on the Repka server. 
The restored vwtual marixne w* be used as the ntial copy. 

Schedie Initial Repkabon 
® Start repkabon nmeriately 
O Start repkabon on: 

4/ 17/2012 □ 4:00 AM 


Pnsh 


Cancel 


Figure 4 

The Choose Initial 
Replication Method 
Screen 


option lets you copy the VM data to an external drive, DVD, 

USB stick, or other media and move it to the replica server. 

7. Click Finish. If the firewall port hasn’t been enabled, you’ll 
receive an error message. 

Once the wizard finishes, in the Hyper-V Manager console, you’ll 
see the name of the VM on both the primary and replica servers. You 
can change this nomenclature. Hyper-V Replica will track the VM by its 
Virtual Machine ID. So, on the primary server, you can have the name 
Windows8 and on the replica server, you can call it Windows 8-Replica. 
On the replica server, you’ll see the VM and it will be turned off. The 
replica machines will be prevented from being turned on. If you attempt 
to turn on the VM, you’ll see the error message that Figure 5 shows. 

Another popular question is whether you can set up multiple 
replicas. The answer is no: You can have only one primary replica 
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Figure 5 

Hyper-V Manager Error 



An error occurred while attempting to start 
the selected virtual machine(s). 


'Windows8' failed to start. (Virtual machine ID 
6D9E80CB-B605-49D9-B9E3-91BF2C769AA5) 


Hyper-V prevented starting virtual machine 'Windows8' 
because replication is ongoing. Virtual machine can be 
started after performing a failover. 


'Windows8‘ failed to start. 


Hyper-V prevented starting virtual machine because 
replication is ongoing. 


Hyper-V Manager 


can be 


server that the VM runs on, 
and one replica server that 
holds the copy of the VM. 
However, you can have 
multiple Hyper-V serv¬ 
ers participating in a rep¬ 
lica. For example, suppose 
I have a Hyper-V server 


(a) Hide details 


called HyperVl that is run¬ 
ning two VMs (Acct-File- 
Server and HR-File-Server). 
I can also have two other 


Hyper-V servers called HyperV2 and HyperV3. 

To set this up, I would need to go into the Hyper-V Settings on 
all the physical machines. Considering the example in Figure 2, if 
you’re configured for Allow replication from any authenticated server, 
you’re good. If you selected Allow replication from the specified serv¬ 
ers, you’ll need to ensure that the other machines are in the list. 
When going through the Enable Replication for Acct-File-Server wiz¬ 
ard, the Specify Replica Server page will show the HyperV2 server. 
When going through the Enable Replication for HR-File-Server wizard, 
the Specify Replica Server page will show the HyperV3 server. Fig¬ 
ure 6 illustrates this scenario. 

Now that everything is configured, what’s next? When you right- 
click a VM, you’ll see Replication in the drop-down list, along with 
several options depending on whether you’re on the primary server 
or the replica server. If you’re on the primary server, you’ll see the 
Planned Failover, Pause Replication, View Replication Health, and 
Remove Replication options. If you’re on the replica server, you’ll 
see the Failover, Test Failover, Pause Replication, View Replication 
Health, and Remove Replication options. 

Planned Failover. A planned failover is a controlled action you 
take when you know that the primary Hyper-V server or site will be 


32 Windows IT Pro / February 2013 


WWW.WINDOWSITPRO.COM 








What Would Microsoft Support Do? 



Figure 6 

Multiple Replicas 



down. A planned failover will make the replica server the primary 
server, and vice versa. This action is available only on the primary 
replica server. There’s a series of checks you need to make before a 
planned failover, as well as some actions that the process will take. 

• Prerequisite check: 

o Check that the VM is turned off. 
o Check configuration for allowing reverse replication. 

• Actions: 

o Send data that has not been replicated to replica server, 
o Fail over to replica server, 

o Reverse the replication direction, 

o Start the replica VM. 
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Failover. Failover is an action that occurs in the event of an 
unplanned outage. If the primary site goes down, you must select 
Failover from the secondary replica server on the VM so that it 
now becomes the primary site and will start. Once the primary 
site comes back up, you would select Planned Failover to reverse 
it back. This selection is available only on the replica server. An 
additional check will ensure that this is the proper action to take. 
Before it does this, it will try to contact the primary server. If it 
can’t contact the primary server, it will continue. If it can contact 
the primary server, it will determine whether the VM is on. If it’s 
on, it won’t continue. If Failover is chosen accidentally, you can 
choose Cancel Failover on the secondary replica server from the 
Replication drop-down list. Cancelling failover will result in a loss 
of any changes that occurred in the replica VM after the failover 
operation started. 

Test Failover. This is a controlled action to take where you simply 
want to test that the replica VM on the replica site will come up. 
When you choose this action, it will create a new VM on the replica 
server and tag it with a -Test name so that it can be easily identi¬ 
fied. This process might take a while because it copies the entire pri¬ 
mary VM. Doing so allows the normal replication of changes to occur 
between the primary server and the original replica server. When 
you’re satisfied that it functions, you can simply power off the -Test 
VM and delete it from Flyper-V. 

Pause Replication. This is a controlled action to take when you 
know that the replica server will be going down. Once the replica 
server is up, you can select Resume Replication. You can take this 
action on either the primary or replica server. 

View Replication Health. This is an action you take to ensure that 
replication is working and that all the changes are getting across. 
These statistics can be reset, refreshed, or saved as a .csv file. You can 
select this option from both the primary and replica server. You’ll see 
the following items in a popup dialog box: 
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• Replication State 

• Replication Type 

• Current Primary Server 

• Current Replica Server 

• Replication Health 

• Statistics 

o From Time 
o To Time 
o Average Size 
o Maximum Size 
o Average Latency 

o Error Encountered 

o Successful Replication Cycles 

• Pending Replication 

o Size of Data Yet To Be Replicated 
o Last Synchronized At 

Remove Replication. This is an action you would take if you no lon¬ 
ger want to have a replica of the VM. You can perform this action on 
either the primary or replica server. When you’ve removed the replica¬ 
tion, you’ll need to manually delete the VM from Hyper-V Manager. 

Hyper-V Replica on a Failover Cluster 

You can also use Hyper-V Replica on a Server 2012 failover cluster. 
To add a failover cluster, you must create the Replica Broker Role in 
Failover Management. Doing so will create a group in the cluster, 
to which you provide a Client Access Point (CAP) that includes the 
name you would connect to. This capability gives you the extra ben¬ 
efit of high availability for the replica or the primary site. 

When running Hyper-V Replica on a failover cluster, you won’t be 
able to make any changes in the Hyper-V Manager console. When 
you go into Hyper-V Manager, Hyper-V Settings, and Enable Replica¬ 
tion, everything will be grayed out. At the bottom of the window will 
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be the message This server is part of a failover cluster. Use the Failover 
Cluster Manager to change replication settings. When running on a 
failover cluster, any replica configuration settings are needed on only 
one of the cluster nodes. Because it’s a clustered resource, it will have 
all the changes replicated to the other nodes. 

IP Addressing 

Finally, think of the network that the VMs reside on. You need to 
consider the IP address scheme on the networks of the primary 
and replica sites/servers. For example, suppose your primary replica 
server has an IP address scheme of 1.x and your secondary replica 
server has an IP address scheme of 192.168.x. If you use DHCP on 
the networks and the VM uses DHCP, it will get an address from the 
DHCP server when it comes up. This is the recommended setting for 
when Hyper-V Replica servers reside on different networks. If you 
use static IP addresses, you should set up multiple IP addresses for 
the VM (one for each network involved). If you bring up the proper¬ 
ties of the VM, there is a new option under Network Adapter called 
Failover TCP/IP, as Figure 7 shows. This is necessary for the VM to 
communicate with the network it will be on. In the aforementioned 
example, if you have a VM with the IP address of 1.1.1.1 (running 
on the primary replica server) and it’s going to run the secondary 
replica server that uses 192.168.1.1, it won’t communicate properly 
on the network. It will have a different gateway, DNS server, and so 
on, that it might not be able to communicate with. 

These VM Failover TCP/IP settings are the settings you would want 
to set for the replica server/site. The same Integration Services need 
to be running on both the primary and replica server so that the 
Failover TCP/IP settings give the proper IP address to the VM based 
on the server it’s currently running on. When the VM is on the pri¬ 
mary site, it will have the normal IP address you’ve set. If it moves to 
the replica site and starts, it will use the address information that is 
set under Failover TCP/IP. 
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You can use these network settings to control the static IP address that a virtual 




machine uses when started as part of a failover. If this virtual machine is configured to 




use a dynamically assigned IP address, you do not need to configure these settings. 
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Figure 7 

Failover TCP/IP 


Cost-Effective Option 

Hyper-V Replica is a cost-effective option for disaster recovery of VMs. 
It doesn’t provide automatic failover to get the replica up; rather, it’s 
all about manual, administrative-controlled actions. You’ll need to 
ensure that you have enough disk space and memory, and you’ll need 
to consider the network scheme on the replica server to accommo¬ 
date the VM if it needs to start. You can go from a standalone Hyper-V 
server to another standalone server. You can go from a failover clus¬ 
ter running Hyper-V to another failover cluster running Hyper-V. Or, 
you can mix the standalone Hyper-V server with the failover cluster 
running Hyper-V. Finally, remember that there’s only a primary and 
replica server. You can’t have multiple replicas for an individual VM. 
(For more information about disaster recovery with Hyper-V Replica, 
see “Hyper-V Replica for Disaster Recovery.”) ■ 
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Figure 1 

Selecting List View for 
Contacts in Microsoft 
Outlook 2010 


FAQ 

Answers to Your Questions 

Q h How can I create distribution lists in Microsoft 
■ Outlook by using categories? 

A a All versions of Microsoft Outlook provide a powerful tagging 
a mechanism to assign Outlook items into custom categories. 
You can use these color-coordinated categories to group items under 
a common heading, such as project name or region. Contacts are, of 
course, one of the Outlook items to which you can assign categories. 

To assign a category to a contact in Outlook 2010, with a contact 
selected, you click the Categorize icon in the Tags section of the Home 
tab of the Ribbon to show a list of categories you can assign. You can 
also see this list by right-clicking a contact and selecting Categorize 
from the context menu; this method is available in Outlook 2007 as 
well. From the drop-down menu, select an existing category for the 
contact or choose All Categories to see the complete list or to create 
a new category. 

You might have a reason to send an email message or meeting 
request to a set of contacts that share a category. You can easily per¬ 
form this task by using the list 
view in the Contacts folder. In 
Outlook 2010, select the Con¬ 
tacts folder in the Navigation 
pane, then the View tab in the 
Ribbon. Click Change View in 
the Current View section of 
the Ribbon, and select List, as 
Figure 1 shows. 
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The List View separates contacts into categories. You can also cre¬ 
ate a custom view here to include only columns you want to see, such 
as name and email address. In Outlook 2007, where there’s no Rib¬ 
bon in the main Outlook view, you can select View, Current View, By 
Category. (For information about using the File as option for organiz¬ 
ing contacts, see “ Q: What does the File as option for Contacts do in 
Microsoft Outlook? ”) 

To send an email message to the contacts within a category, you 
can easily highlight the Contacts under the desired Category, then 
click Email in the Communicate section of the Outlook 2010 Ribbon 
under the Home tab. The equivalent email button. New Message to 
Contact, resides in the toolbar in Outlook 2007. This action generates 
a new email message with the email addresses of the contacts listed 
in the To held. A quick copy and paste is necessary if you want the 
addresses in the Cc or Bcc fields. 

As an example, I have categorized some contacts by region, with a 
category for North America and one for Europe. Figure 2 shows the 



Figure 2 

Using Categories for 
Outlook Contacts to 
Send a Targeted Email 
Message 
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contacts under the North America category highlighted in an Outlook 
2010 client with the Email button selected in the Ribbon. 

You can walk through this process each time you want to email all 
these contacts, or you could create a Distribution List, or Contact 
Group as it’s called in Outlook 2010, based on the category. Unfortu¬ 
nately, there’s no magic button at this point to create a new group for 
the highlighted contacts. You can create a new Contact Group/Distri¬ 
bution List and copy the contacts you have highlighted into the Add 
Members held. With the desired Contacts highlighted, right-click and 
select Copy from the context menu. You need to copy the Contacts 
first because the Add Members window of the New Contact Group/ 
New Distribution List option doesn’t let you go back to other win¬ 
dows in Outlook. Choose New Contact Group in Outlook 2010 or New 
Distribution List in Outlook 2007. Select Add Members and paste the 
contacts in the Members held at the bottom of the Window. Assign a 
name to this Contact Group/Distribution list, and save it. In Outlook 
2010,1 found I had to remove the column headings from the Members 
held before saving. 

The down side of creating a Contact Group/Distribution List based 
on Category in this manner is that the Group/List isn’t dynamic. If 
you change a contact’s category, the change doesn’t affect the Con¬ 
tact Group you made. The Contact Group won’t remain current if the 
categories are amended. This fact adds another layer of administra¬ 
tion to maintaining your contacts. 

If you update the categories a lot, I recommend skipping the Con¬ 
tact Group altogether and just pulling your email list from the con¬ 
tacts sorted by category when you need to create a new message. If 
your categorization remains constant, you might hnd it easier to use 
a Contact Group or Distribution List to email all contacts in a certain 
category. ■ 

—William Lefkovics 
InstantDoc ID 144962 
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features are hallmarks of the newest release 


M icrosoft recently released Exchange Server 2013 , labeling it 
“the new Exchange.” (This interesting branding decision 
implicitly labels all other versions of Exchange as “old,” 
with all the negative connotations that label carries.) Understanding 
what’s new in Exchange 2013 requires us to dig into the architectural 
and feature changes that Microsoft has made—some (but not all) of Paul 
which the company is touting heavily. RobichaUX 



Architectural Changes 

If you remember Exchange Server 2003, then the major architectural 
change in Exchange 2013 will seem very familiar. There are now only 
two roles: the Mailbox server role and the Client Access server role. 

This setup is the same as the front-end/back-end architecture in 
Exchange 2003, although there are implementation differences. Micro¬ 
soft split the roles in this way to simplify implementation at large 
scales. Tight coupling between the server roles no longer exists: The 
Client Access server role doesn’t keep any state or session data and 
can be upgraded (or rebooted) independently of the Mailbox server 
role, and vice versa. This change has several interesting implications. 
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• The Exchange 2013 Client Access server role (formerly called 
the Client Access Front End in Microsoft internal documents) 
becomes essentially a super-smart proxy that no longer needs to 
maintain state or affinity. Much of the complexity of configuring 
the Exchange 2010 Client Access server role vanishes. 

• Load balancing is completely different. With no requirement for 
affinity, load balancers that work at Layer 4 (the network layer) 
of the OSI model can be used. (There are still cases in which it 
makes sense to use application-aware load balancers that apply 
greater intelligence to deciding when and how to distribute load 
between servers.) 

• Remote Procedure Call (RPC) for mailbox access is dead. You 
can still use RPC over HTTP Secure (HTTPS), but the RPC 
Client Access service is no longer part of the equation. This 
change enables the use of HTTPS-based load balancing, with¬ 
out the Exchange 2010 requirement for separate namespaces or 
certificates. 

• The Hub Transport server role is gone, its responsibilities split 
between the Client Access server and Mailbox server roles. Given 
that few Exchange 2010 sites had combined the Mailbox and Hub 
Transport roles, this change isn’t huge. 

• New services run on the Mailbox server, so you might need to 
re-examine the scaling and sizing decisions that you made for 
Exchange 2010 deployments. 

Brand-New Features 

As is typical for a new release of a major product. Exchange 2013 is 
full of new features. Knowing what to label “new” can sometimes be 
difficult because of Microsoft’s habit of making major enhancements 
to existing features, but several genuinely fresh features are included. 
The most significant one is arguably the new managed availability 
functionality. Microsoft describes managed availability thusly on the 
Exchange Team Blog : 
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Managed availability is a monitoring and recovery infrastruc¬ 
ture that is integrated with Exchange’s high availability solu¬ 
tion. Managed availability detects and recovers from problems 
as they occur and as they are discovered. 

This description neatly captures the major points of managed avail¬ 
ability: It focuses on detecting problems that the end user will notice 
and then repairing them automatically whenever possible. The 
Exchange 2013 managed availability implementation accomplishes 
this task by performing several kinds of automated checks that probe 
various parts of the infrastructure. Based on the results of these tests, 
a variety of automated responders can take action. These actions can 
range from restarting the responder service, to taking a protocol on a 
machine out of service (which allows client traffic to be sent to another 
machine running the same protocol), to forcing a server reboot and 
restart. There’s also the escalate responder, whose job it is to fire 
an event that triggers special behavior in System Center Operations 
Manager or other monitoring software. In this way. Exchange has a 
customized method for indicating a high-priority failure that requires 
human intervention. Managed availability represents an ambitious 
effort by Microsoft to bring high-scale, datacenter-style management 
to Exchange. This effort offers a lot of potential, although I’m reserv¬ 
ing judgment on its worth until I see it proven in the held. 

Another major change is the availability of an integrated e-discovery 
experience. You can now perform discovery searches that include 
Exchange mailboxes and public folders, archived Microsoft Lync con¬ 
versations, and material that’s stored in Microsoft SharePoint from a 
single SharePoint-based interface. Although this feature requires that 
you deploy SharePoint 2013 , organizations that need to perform dis¬ 
covery searches will find this feature valuable because it enables self- 
service discovery searches for users with appropriate permissions. 

Exchange 2013 also includes a group of features that are lumped under 
the rubric of data loss prevention (DLP). The goal of these features is 
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The new Front End 
Transport service 
has a completely 
new approach to 
mail acceptance 
and delivery. 


to reduce the risk that your organization will commit or suffer breaches 
of sensifive data such as personally identifiable information (PII) of 
customers, data that must be protected under regulations such as the 
US Health Insurance Portability and Accountability Act (HIPAAJ or 
European Union Data Protection Directive (EUDPDJ, or data that you 
just don’t want to be disclosed. DLP features include a robust set of 
transport rule-like tools for scanning messages for sensitive data, a pre¬ 
defined set of policies for common regulatory requirements, and tools 
for customizing the included items or building your own. 

It will be interesting to see which of these features drive Exchange 
2013 adoption. Some are likely to be of interest to a small number 
of large customers, whereas a few others seem clearly targeted at a 
broader audience. 


Mailbox Server Changes 

The Mailbox server role remains at the core of Exchange. For this 
release, Microsoft rewrote the Exchange Information Store service 
(store.exe) completely in managed code, taking advantage of the .NET 
common language runtime (CLR) memory-management support. 

The internal architecture of the Information Store service has 
changed a good deal as well. There’s now a new service, the Exchange 
Replication service, which controls failover and switchover operations 
and database mounts and dismounts, plus a service process control¬ 
ler that manages the database worker processes. Each database now 
has its own worker process, so failure of the Information Store ser¬ 
vice process should affect only one database at a time. An additional 
related change has been somewhat controversial: Exchange 2013 is 
now limited to a maximum of 50 databases per server instead of 100. 
It remains to be seen how many customers this change affects and 
whether Microsoft will consider lifting the limit in a future release. 

These changes are coupled with several aggressive optimizations to 
the Store schema itself. Microsoft’s goal for fhis release was to reduce 
overall I/O operations per second (IOPS) from Exchange 2010 by as 
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much as 50 percent while enabling the widespread use of databases 
up to 100GB. To do this, Microsoft essentially traded off CPU and RAM 
usage for IOPS. By increasing the degree of physical and logical contigu¬ 
ity in the Exchange 2013 schema, fewer large I/Os will be required—but 
an increased amount of CPU will be needed to handle them. Microsoft 
is expected to update the Exchange Mailbox Role Calculator (familiar 
from previous Exchange versions) to take these changes into account. 

The Exchange 2013 Store fully supports mixing multiple databases 
per volume. For example, you can put one active database and mul¬ 
tiple passive databases on a single disk. With 8TB drives expected to 
be available soon, and with the existing recommendation of 2TB as 
a maximum size for Exchange databases, leveraging both the stor¬ 
age and IOPS potential of large disks by combining databases makes 
sense. The new Store also implements a new AutoReseed feature. 
This feature can immediately create a new passive replica of a data¬ 
base on a failed disk by using a spare disk on the server, quickly (and 
automatically) replacing the failed copy to maintain the correct num¬ 
ber of copies in the database availability group (DAG). 

In one of the most surprising changes to Exchange 2013, Microsoft 
has completely re-implemented public folders. The new “modern” 
public folder system replaces the old multi-master model, which was 
dependent on the finicky system of public folder replication introduced 
in Exchange 4.0. The new system is much simpler: Public folders essen¬ 
tially look and act like databases. Public folder databases are stored in 
DAGs, just as mailboxes are, so you protect public folders against out¬ 
ages by adding multiple replicas of a given public folder database to 
a DAG. Clients always connect to the active copy of the public folder, 
which might have implications for scalability in some environments. 

Client Access Changes 

As previously mentioned, the new Client Access server role in 
Exchange 2013 no longer renders data for the client. The only thing it 
does is perform proxy connections from the client to the appropriate 
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Mailbox server. This proxy-only design eliminates the need for the 
Client Access server to maintain affinity or state with clients, which 
in turn enables a much broader range of potential load-balancing 
solutions. DNS round-robin and Windows Network Load Balancing 
(NLB) are both fully supported, although neither can recognize the 
presence of server failures. 

Client connections can use IMAP, POP, or Exchange Web Services 
(EWS), but they no longer use Messaging API (MAPI) RPCs. Instead, 
all Microsoft Outlook clients must now connect by using the Outlook 
Anywhere feature (another name for RPC over HTTPS), which wraps 
MAPI RPCs inside HTTPS packets. This change enables clients to 
request mailbox connections using a mailbox globally unique identi¬ 
fier (GUID) plus the user principal name (UPN) suffix, without any 
included reference to a Mailbox server’s Fully Qualified Domain Name 
(FQDN). Mailboxes are much more portable because the Client Access 
server and its clients no longer need to know or care about Mailbox 
server names. The complex Exchange 2010 system of interrelated 
namespaces (and certificates to secure them) is gone, replaced with a 
dramatically simpler implementation. To facilitate the use of Outlook 
Anywhere internally, the Client Access server role now supports a new 
internal hostname (and matching authentication method), which will 
be used (if defined) for clients on the LAN. 

Another pleasant side effect of the change to the Client Access 
server design is that cross-site access is much simpler. Clients con¬ 
nect to whichever Client Access server is convenient, and the Client 
Access server can perform HTTP redirects as necessary to find the 
correct Mailbox server across Active Directory (AD) sites. 

The services the Client Access server offers to clients have changed 
quite a bit as well. Outlook Web App (OWA) 2013 is completely rewritten 
and includes some compelling new features, such as greatly improved 
support for mobile devices such as Apple iPads. OWA 2013 can run 
offline on supported browsers—currently, Google Chrome, Microsoft 
Internet Explorer (IE) 10, and Apple Safari 5.x/6.x on Mac OS X. 
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Transport Changes 

The transport process has changed significantly because of the two- 
role architecture. Whereas Exchange 2007 and Exchange 2010 had 
a separate Hub Transport role, Exchange 2013 does not. The Client 
Access server role hosts the new Front End Transport service, which 
handles all inbound and outbound SMTP traffic. The service doesn’t 
perform any content filtering, although it does provide filtering based 
on connection, sender or recipient identity, and protocol behavior. 
The Front End Transport service’s role is rather to act as a central¬ 
ized, load-balanced ingress and exit point for all SMTP traffic. Bear in 
mind that the Client Access server isn’t intended to replace the Edge 
Transport role, so deploying it in a perimeter network is unsupported. 

The new Front End Transport service has a completely new approach 
to mail acceptance and delivery: It has no permanent queues. When 
a new SMTP conversation is opened, the service accepts the connec¬ 
tion, performs filtering based on the SMTP envelope data, and then 
determines the route to the “best” Mailbox server before starting the 
delivery process. The Mailbox server is responsible for accepting and 
queuing the message. If the Front End Transport service cannot con¬ 
nect to a Mailbox server, or if the server doesn’t accept the message, 
then the Front End Transport service returns SMTP error 421 to the 
sender, indicating a transient failure that must be retried later. This 
approach drastically simplifies the Front End Transport service—at 
the cost of moving the queuing, redundancy, and delivery logic over 
to the Mailbox role. 

The Mailbox server runs three new transport-related services: 

• The Mailbox Transport service does much of what the former 
Hub Transport role did. The process of mailbox transport is now 
stateful, so the Mailbox Transport service maintains state informa¬ 
tion about each message as it passes through the engine. Mailbox 
transport performs policy enforcement (including enforcing size 
limits) and provides queuing for messages. This is the only mail¬ 
box service that communicates with Front End Transport service. 
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• The Mailbox Transport Delivery service accepts mail from the 
Mailbox Transport service and delivers it to the mailbox database. 

• The Mailbox Transport Submission service retrieves mail from the 
mailbox database and submits it to the Mailbox Transport service 
for processing. 

The division of labor between the Client Access server and Mail¬ 
box Transport service delivers essentially the same high availability 
for transport as we had in Exchange 2010, but it’s implemented very 
differently. The Mailbox Transport service persists every submitted 
message before the message is acknowledged to the sender. If the 
Mailbox Transport service does not or cannot accept the message, 
then the Front End Transport service sends a 421 error to the sender 
and message delivery is re-attempted later. Messages that are suc¬ 
cessfully submitted to the transport system are maintained until their 
final delivery, and resubmission of messages that couldn’t be deliv¬ 
ered because of the loss of a transport database or mailbox database 
failover and switchover is automatic. This new behavior is known as 
Safety Net, and it’s complex enough that it will probably be the sub¬ 
ject of future Windows IT Pro articles and Exchange Team Blog posts. 

Interestingly, Microsoft isn’t currently shipping an Edge Transport 
role in Exchange 2013 and hasn’t publicly announced whether or 
when it will do so. Relatively few customers use the Edge Transport 
role, so Microsoft might have chosen to wait or even bake the Edge 
functionality into a future version of an Edge-network product such 
as its Unified Access Gateway (UAG) Server line. 

Unified Messaging Changes 

Unified Messaging (UM) is perhaps the area in which functionality 
has changed the least in Exchange 2013. The Unified Messaging role 
is now hosted on the Mailbox server. The Client Access server runs 
the Unified Messaging Call Router service, which accepts incom¬ 
ing calls and redirects them to the appropriate Mailbox server. The 
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Mailbox server itself is responsible for handling all interaction with 
the caller, including playing a voicemail greeting or Auto Attendant 
message and recording the caller’s voicemail. 

The remaining UM changes are all enhancements. For example, the 
Voice Mail Preview feature is more accurate. (Although Microsoft still 
doesn’t claim that it is 100 percent accurate, nor is it intended to be.) 
UM can now resolve contacts against ah personal Contacts folders 
in a user’s mailbox. Therefore, caller ID resolution now works with 
external contacts from Facebook, Linkedln, and other aggregated 
sources. Like the other Exchange 2013 roles, the Unified Messaging 
role now fully supports IPv6. Apart from that, users and adminis¬ 
trators will probably not notice any major differences in how UM 
behaves. Administrators will note the addition of a few new Exchange 
Management Shell cmdlets for managing the UM services and call 
router settings. 

A Warning 

One major issue does face sites that want to deploy Exchange 2013: 
It cannot yet coexist with Exchange 2010 on-premises. Exchange 
2010 coexistence requires Exchange 2010 SP3, which Microsoft has 
announced but not released as of this writing. Given the troubles 
with Exchange 2010 rollups during 2012, any prospective deployment 
of Exchange 2010 SP3 should be approached carefully and with a 
thorough testing plan. The necessary changes to support coexistence 
are already deployed on Exchange Online, so if you’re willing to move 
your mailboxes to Microsoft Office 365, you can deploy Exchange 
2013 without further delay. This delay isn’t ah bad, though, because 
it gives you the opportunity to test Exchange 2013 in a lab environ¬ 
ment and get a better sense of its new features and behaviors. It will 
certainly be interesting to see how customers adopt Exchange 2013 
and how Microsoft updates its product guidance and documentation 
to reflect the lessons learned from that adoption. ■ 
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M icrosoft has positioned its most recent server OS, Windows 
Server 2012 , as a fundamental building block for private 
cloud environments. The new server OS includes numer¬ 
ous changes to the Hyper-V virtual machine manager, including new 
security features to allow for better and more flexible network isola¬ 
tion between the virtual machines (VMs) of tenants that use the same 
Hyper-V instance. But Server 2012 also includes important changes 
to another crucial element of Microsoft-rooted private clouds: Active 
Directory (AD). 

In this article, I focus on some key security changes that Microsoft 
bundles with Server 2012 AD. There’s much to say about Dynamic 
Access Control, which represents a big shift in the Windows and 
AD authorization model. In addition, Server 2012 AD includes some 
smaller but no less important security-related changes. 

Dynamic Access Control: All About Claims 

Dynamic Access Control is probably the most fundamental security 
change that Microsoft incorporates in Server 2012. Dynamic Access 
Control integrates the claims-based access control (CBAC) model 
with the Windows OS and AD. Claims are statements about users or 
devices (e.g., “My account name is JanDC,” “I am a member of the 
sales department”) and are issued by a trusted authority. Microsoft 
first introduced CBAC in Active Directory Federation Services ver¬ 
sion 1 (ADFS vl), which was bundled with Windows Server 2003. 

Claims can provide a flexible mechanism for exchanging trustwor¬ 
thy identity attributes between ADFS servers. Organizations can now 
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use claims to protect the file and folder data stored on domain-joined 
Server 2012 or Windows 8 machines. Server 2012 domain controllers 
(DCs) can issue claim statements as part of the user and machine 
authentication process, by embedding the claims in the user’s or 
machine’s authentication ticket. (For more information on claims and 
how Microsoft leverages them, read “A Guide to Claims-based Iden¬ 
tity and Access Control .”) 

Dynamic Access Control is built on several new and enhanced 
Windows data-authorization features for classifying and labeling 
data, applying CBAC settings, auditing access to data, and encrypt¬ 
ing data. Under the hood, Dynamic Access Control relies on numer¬ 
ous Microsoft engineering changes to key Windows components, 
services, and protocols. These include AD, Group Policy Objects 
(GPOs), DNS, Kerberos, the Local Security Authority (LSA), and the 
Netlogon processes, as well as network protocols such as Server Mes¬ 
sage Block (SMB), LDAP, and remote procedure call (RPC). Microsoft 
has made several Dynamic Access Control-driven changes in Server 
2012, including the following: 

• Extending the DC and Kerberos Key Distribution Center (KDC) 
logic, to enable the issuing of claims in authentication tokens 

• Changing the Kerberos token format, to enable the transportation 
of claims 

• Adding alternate data streams (ADS) in NTFS, to attach custom 
properties to files and folders 

• Enabling the storage of conditional expressions in the ACLs of file 
and folders, to enable more flexible access control and auditing 
settings 

• Extending the AD schema, to allow centralized storage of 
Dynamic Access Control properties and policies 

Dynamic Access Control can leverage AD to store central access poli¬ 
cies (CAPs) and GPOs and to push these policies to domain members. 
Microsoft also added a Central Policy tab (which Figure 1 shows) in the 
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Figure 1 

The Central Policy Tab 
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Advanced Security Settings dialog box for folders. From this tab, admin¬ 
istrators can choose the CAP that they want to assign to a given folder. 
Thanks to these changes, you can now grant access to files and folders 
in your domain or forest, based on the values of standard or custom 
attributes of your AD user and machine objects. For example, you can 
now refuse a user access to a file server share if the Department attri¬ 
bute of the AD user object doesn’t contain the value “Sales” or “Mar¬ 
keting.” This new flexible authorization logic is very different from the 
user- and group-SID-based logic that we’ve been using for years. 

You can define CAPs from the Dynamic Access Control container in 
the revamped Active Directory Administrative Center (ADACJ, which 
Figure 2 shows, or by using Windows PowerShell cmdlets. You can call 
on the same tools to enable claim support for an AD user or machine 
object attribute and to add values to these attributes. A Server 2012 DC 
will add claim statements to user and computer authentication tokens 
only for the user and computer object attributes that actually contain 
information and that are linked to an enabled claim type. Before your 
Server 2012 DCs can issue claims, you must explicitly enable them 
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Figure 2 

The Dynamic Access 
Control Container 


to issue claim statements; indeed. Server 2012 DCs are disabled for 
CBAC by default. To enable CBAC, use the Domain Controller support 
for Dynamic Access Control and Kerberos armoring GPO setting in the 
\Computer Conhguration\Policies\AdministrativeTemplates\System\KDC 
container. To use GPOs to push CAPs to your machines, you can use the 
new Central Access Policy GPO option in the \Computer Configuration\ 
Policies\Windows Settings\Security Settings\File System container. 

Dynamic Access Control brings the flexibility of claims not only to 
hie and folder access control, but also to hie and folder access auditing. 
For example, in Server 2012 you can conhgure an audit rule to track 
all users that were allowed or denied access to folders that are marked 
with the “confidential” property. To centrally dehne claim-based audit¬ 
ing settings for hies and folders, you must call on the GPO Global Object 
Access Auditing feature that Microsoft introduced in Windows Server 
2008 R2 and has now extended with Dynamic Access Control support. 

Administrators can also dehne flexible access control and audit¬ 
ing settings on hies and folders, in addition to or independent of 
the centrally dehned CAPs. Microsoft changed the Advanced Security 
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Settings dialog boxes in Windows 8 and Server 2012 to allow you 
to configure conditional expressions in the authorization and audit¬ 
ing settings of hies and folders. Figure 3 shows this new interface, 
illustrating the definition of a permission that includes a conditional 
expression on a folder named SharedData. 


Figure 3 

The Advanced Security 
Editor 



Besides access control and auditing. Dynamic Access Control also 
provides new, flexible data-classification mechanisms. A good exam¬ 
ple is the ability to add custom hie and folder properties, called global 
resource properties, to the access control and auditing setting dialog 
boxes of hies and folders. Again, you can do this by using ADAC or 
PowerShell cmdlets. To propagate these custom properties to your 
domain machines, Microsoft equipped Windows 8 and Server 2012 
clients with a special extension that uses LDAP to connect to AD and 
retrieve these properties. This new data classihcation feature gives 
you the flexibility to classify data based on your selected attributes 
and to apply protection accordingly. 
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You can classify files and 
folders manually by using 
the Classification tab in the 
properties of a file or folder, 
as Figure 4 shows. The Clas¬ 
sification tab appears only 
on systems that have the 
Desktop Experience feature 
installed or that host the 
File Server Resource Man¬ 
ager role service. 

For files, you can also 
automate the classification 
process by using the File 
Classification Infrastructure 
(FCI) feature. Introduced 
in Server 2008 R2, the FCI 
allows administrators to 
define custom classifica¬ 
tion labels, set up classification and expiration rules, and report on 
classifications. Administrators can manage FCI from the File Server 
Resource Manager (FSRM). FCI can also be used with the RMS Bulk 
Protection Tool to automatically apply RMS protection to hies . 

This is a very short introduction to Dynamic Access Control. You 
can find plenty more information, including how to set up, config¬ 
ure, and troubleshoot Dynamic Access Control, in the Microsoft white 
paper “ Understand and Troubleshoot Dynamic Access Control in 
Windows Server 8 Beta.” 
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Figure 4 

The Classification Tab 


New Security Management Functions in ADAC 

In Server 2012, ADAC has become the main AD administration inter¬ 
face. ADAC even outpaces its predecessor—the Microsoft Management 
Console (MMC) Active Directory Users and Computers snap-in—on 
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Figure 5 

The Deleted Objects 
Container 


the level of administrative features. Two new features that many 
administrators will welcome are ADAC’s GUI support for recovering 
deleted AD objects and for configuring fine-grained password policy 
(FGPP) settings. 

The AD Recycle Bin was introduced in Server 2008 R2, to enable 
the recovery of deleted AD objects and their attributes. An important 
shortcoming of the Server 2008 R2 AD Recycle Bin was its lack of a 
GUI. Administrators were forced to use either ldp.exe or PowerShell 
cmdlets, two tools that complicate AD object recovery and slow down 
the recovery process. 

As Figure 5 shows, Microsoft has integrated a Deleted Objects con¬ 
tainer in the Server 2012 ADAC interface. You can now easily restore 
a deleted user object by using the Restore or Restore To links in the 
right pane of ADAC. In Server 2012, the same restrictions apply to the 
use of AD Recycle Bin: 

• It isn’t enabled by default (you can enable it from ADAC). 

• Your AD forest must be at least at the Server 2008 R2 functional 

level. 
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• You can restore deleted objects only within their Deleted Object 
Lifetime (DOL), which is 180 days by default. 


For more information about the AD Recycle Bin, see the “ Active 
Directory Recycle Bin Step-by-Step Guide .” 

The second useful GUI addition in ADAC relates to FGPP configu¬ 
ration. Microsoft introduced FGPPs in Server 2008 to allow the defi¬ 
nition of multiple Windows domain password and account lockout 
policies that are linked to different AD user or administrator groups. 
Before that, Windows Server could support only a single domain 
password policy. To support FGPPs, Microsoft introduced a new AD 
object type called the Password Settings Object (PSOJ. 

As for the Recycle Bin, Microsoft didn’t provide a GUI to configure 
FGPPs in the Server 2008 release. Administrators needed to call on 
tools such as PowerShell cmdlets, ADSI Edit, or LDIFDE to define 
PSOs. In Server 2012, you can use the ADAC GUI to define new FGPPs 
and PSOs from the new Password Settings Container that’s under¬ 
neath the System container, as Figure 6 shows. Just as before, your 



Figure 6 

Defining Fine-Grained 
Password Policies 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / February 2013 57 



















Dynamic Access 
Control brings the 
flexibility of claims 
not only to file and 
folder access 
control, but also to 
file and folder 
access auditing. 


domain must be at least at Server 2008 domain functional level to use 
FGPPs. For more details, see “AD PS Fine-Grained Password Policy 
and Account Lockout Step-by-Step Guide.” 


Group Managed Service Accounts 

Managed Service Accounts (MSAs) are a special type of domain 
account that Microsoft supports in Server 2008 R2 AD and later. MSAs 
overcome the password-management problems that administrators 
encounter when they set up a custom domain account for authen¬ 
ticating a service. Administrators prefer to define custom accounts, 
which allow them to better isolate the privileges of an application 
than when using a built-in high-privilege local account (i.e.. Local 
System, Local Service, Network Service) as the service account. But 
unlike these built-in local accounts, custom accounts don’t have 
automatic password management. Therefore, when you use custom 
service accounts, you need to manually manage their passwords or 
create a custom management solution. 

MSAs resolve this problem by providing automatic password man¬ 
agement. They also simplify the setup of Service Principal Names 
(SPNs) for a service. Unfortunately, the MSAs that are introduced in 
Server 2008 R2 could not be used by clustered or load-balanced ser¬ 
vices (e.g., services in a web farm) that want to share one service 
account and password. In these scenarios, administrators needed to 
manually synchronize the passwords of the service instances or imple¬ 
ment a custom solution for automatic password synchronization. 

Server 2012 group MSAs (gMSAs) resolve this problem for load- 
balanced services in web farms. Unfortunately, at the time of writing, 
the MSAs don’t yet work for services that are part of a failover cluster. 

Behind gMSAs, a new service called the Microsoft Key Distribu¬ 
tion Service runs on every Server 2012 DC. This service ensures that 
the password of the single service account that the web farm service 
instances use is kept in sync between instances. To use gMSAs, your 
AD schema must be updated to Server 2012, and you need one or 
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more Server 2012 DCs running the Microsoft Key Distribution Ser¬ 
vice. The service is automatically installed on every DC but defaults 
to a manual startup. Only services that run on Server 2012 can use 
gMSAs. You can create and administer gMSAs by using a set of Power- 
Shell cmdlets. For more information on gMSAs, see “ Getting Started 
with Group Managed Service Accounts .” 

Primary Computers for Folder Redirection 
and Roaming Profiles 

The last new, powerful feature that I want to discuss in this article is 
the ability to label AD computer objects as the primary computers of 
certain domain users. You can use this feature to control the comput¬ 
ers to which users’ roaming profiles are downloaded and on which 
users receive access to their redirected folders. On computers that 
haven’t been labeled as primary computers, users will have a local 
profile and won’t have access to their redirected folders. 

In the age of the consumerization of IT and trends such as Bring 
Your Own Device (BYOD), this method is a powerful way to associ¬ 
ate or dissociate user data and settings with particular computers or 
devices and to improve corporate data security. Designating primary 
computers reduces the security and privacy risks of downloading or 
leaving personal or corporate data on personal or public computers to 
which the user has logged on. 

The Primary Computer feature is based on a set of new GPO set¬ 
tings and an AD schema extension. When a user logs on to a Win¬ 
dows 8 or Server 2012 machine, the logon logic checks the status 
of the Download roaming profiles on primary computers only and 
Redirect folders on primary computers only GPO-controlled settings. 
The status determines whether the msDS-PrimaryComputer attri¬ 
bute, which is linked to the user’s AD user account object, should 
influence the decision to roam the user’s profile or to apply Folder 
Redirection. The new GPO settings are in the \User Configuration\ 
Policies\Administrative Templates\System\Folder Redirection and the 
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Figure 7 

Setting a User's 
Primary Computer 


\User Configuration\Policies\Administrative Templates\System\User 
Profiles GPO containers. 

You can use the ADAC or PowerShell cmdlets to populate an 
AD user object’s msDS-PrimaryComputer attribute with a list 
of DistinguishedNames of computer accounts that should be 
marked as the user’s primary computers. Figure 7 shows how 
you can leverage ADAC and its built-in attribute editor to set the 
msDS-PrimaryComputer attribute for a user named Jack. 



The support for the Primary Computer feature requires that your 
AD schema be upgraded to Server 2012. The feature can be leveraged 
only on domain-joined Server 2012 and Windows 8 machines. For 
more details on how to set up this feature, I advise you to read the 
Storage Team Blog post “ Configuring Primary Computers for Folder 
Redirection and Roaming Profiles in Windows Server 8 Beta .” 
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A Model Shift 

Dynamic Access Control represents the biggest shift in the authori¬ 
zation and auditing model for Windows hies and folders since the 
introduction of AD, and maybe even since the introduction of NTFS. 
The support for Dynamic Access Control is certainly the biggest secu¬ 
rity change in Server 2012 and AD, not only for the Microsoft engi¬ 
neers who developed it but also for anyone who decides fo use it. If 
you’re a Windows or AD administrator or architect, I advise you to 
test Dynamic Access Control thoroughly and become familiar with it 
before you start using it. 

ADAC and PowerShell also enter prime time for general and 
security-related AD management tasks in Server 2012 AD. Like 
Dynamic Access Control, ADAC and PowerShell are primarily about 
adding more flexibility and making it easier for the people who 
administer and configure AD day-in and day-out. ■ 
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Windows Server 2012 

Improvements in storage, virtualization, and management are worth a look 


W indows Server 2012, arguably the most significant server release Microsoft has 
ever offered, became available for evaluation and purchase to customers around 
the world on September 4, 2012. Server 2012 offers a simplified licensing model 
that includes all features of the OS in all editions of Server. You’ll find improved manage¬ 
ment capabilities in Server Manager and PowerShell. Storage improvements are numer¬ 
ous, and Hyper-V enhancements include scalability, live migration upgrades, and storage 
live migration capabilities. Windows IT Pro brings you ongoing coverage of Server 2012, 
with in-depth treatment of significant features, breaking news, and analysis. Visit our 
Windows Server 2012 page for the latest news and technical features. ■ 
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Top 10 Windows Server 2012 FAQs 


O How do I remotely view a Remote Desktop session in Windows Server 2012? 

0 What features does NTFS support that ReFS does not support? 

0 How many network adapters can be combined in a single Windows Server 2012 native NIC team in a virtual machine? 

O I'm using Windows PowerShell to create a new Windows Server 2012 native NIC team, so why isn't the -Confirm flag working to 

suppress the configuration prompt? 

0 How many network adapters can be combined in a single Windows Server 2012 native NIC team on a physical host? 

© How do I create a native NIC team in a Windows Server 2012 VM running on Hyper-V? 

O How do I hot-add memory to a Windows Server 2012 Hyper-V virtual machine? 

© If I upgrade a Hyper-V host to Windows Server 2012 from Windows Server 2008 R2, will VMs keep running during the upgrade? 
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M anaging file servers can be a tedious and thankless task for 
many IT pros. But it doesn’t need to be that way. By incorpo¬ 
rating Windows PowerShell, you can easily get a handle on 
shared file resources—and maybe even have a little fun. And none of 
it really requires any scripting. Everything I want to show you should 
take no more than a few interactive commands. Of course, if you find 
yourself running these commands often, then turning them into a 
script or function is the next logical step. 

The beauty of PowerShell is that you can take the results of the 
commands that I’m going to demonstrate and do whatever you want. 
Need to save the results to a comma-separated value (CSV) file? Pipe 
them to Export-CSV. Need an HTML report? Use ConvertTo-HTML. 
And everything I’m going to show you scales; if you can use a com¬ 
mand for one computer, you can use it for 10, 100, or 1,000 systems. 

First, let me show you what you can do to manage what you have 
in your file shares today. Then we’ll look at provisioning file sharing. 

Get File Shares 

Let’s begin by identifying what’s being shared. This task is easy: Sim¬ 
ply query the Win32_Share class to use Windows Management Instru¬ 
mentation (WMI). You don’t even need to be logged on to the file 
server. You can run this command from the comfort of your cubicle: 

Get-WmiObject -class -Win32_Share -computername MyFile 
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Now, when you run this com¬ 
mand, you’ll get all shares, 
including printers (if any). 
Because we’re talking about hie 
shares, let’s limit the query. All 
Win32_Share instances have a 
Type property, as Table 1 shows. 
Thus, to limit the search, we 
can add a filter to our original 
command: 


Table 1: Share Instances 
andTheirType Properties 

Share Type 

Value 

File share 

0 

Print share 

1 

Administrative share 

2147483648 

IPC 

2147483651 


Get-WmiObject -class -Win32_Share -computername MyFile -filter 
"Type=0" 


This approach gets rid of the administrative shares. You can see an 
example in Figure 1. 


r „ 

C7 Wiutowt 


o l a i|~e 

Figure 1 

PS C:\> get-wmlobject 

-Class win32_share -computername chl-fpOl -filter "type«0" 

Listing 

Name 

Path 

Description 

Non-Administrative 

backup 

ChicagoSales 

De-io 

EventBackup 

Executive 

IT 

logs 

prints 

Public 

Sales 

Saves 

scripts 

Training 

webReportsS 

c:\backup 

c:\shares\ChicagoSales 

C:\shares\Demo 

f:\EventBackup 

c:\shares\Executive 

c:\shares\IT 

c:\shares\logs 

C:\windows\system32\spo,.. 

c:\shares\Public 

c:\shares\Sales 

F:\save 

C:\scripts 

c:\shares\training 

c:\webReports 

Printer Orivers 

Company Training Resou... 
hidden share for IT ht... 

Shares with WMI 

ps c:\> 





But if you’re looking for other hidden shares—that is, those that 
end in a dollar sign ($)—all you need is a slight tweak to the filter: 
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It doesn't take 
much more effort 
to build a 
comprehensive 
usage report for all 
shares on a file 
server. 


Get-WmiObject -Class win32_share -computername MyFile -filter 
"Type=0 AND name like 

In WMI, the percent character (%) is used as a wildcard. Returning 
all shares except those that are hidden is a little trickier. You’ll need 
to use a compound comparison using a wildcard: 

Get-WmiObject -Class win32_share -computername MyFile -filter 
"type=0 AND name like '% [a$] 

This command returns all Win32_Share objects that have a Type 
property of 0 and a name that doesn’t end in $. 

Get Folder Size 

A typical task that’s probably on your plate is creating reports about 
how much disk space a folder is consuming. The quick approach is 
to simply use Get-Childltem, or its alias dir, and pipe the results to 
Measure-Object: 

dir c:\shares\public -recurse | 
where {-Not $_.PSIsContainer}| 

Measure-Object -Property length -Sum -Minimum -Maximum 

You’ll end up with a measurement object that shows the total num¬ 
ber of objects, the total size in bytes, and the smallest and largest 
hie sizes. In the previous command, I’ve filtered out folders. Power- 
Shell 3.0 has better ways of doing this, but the command that I’ve 
used works in both PowerShell 2.0 and 3.0. This is the type of com¬ 
mand that is best run locally (a great reason to use PowerShell remot- 
ing). The code in Listing 1 combines this command with our WMI 
technique to get a size report for top-level folders. You can format or 
process $results any way you like. How about an easy-to-read table? 
Just use this command: 
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Sresults | Format-Table Computername,Full name,SizeKB, 
NumberFiles -autosize 

Figure 2 illustrates the output that you can expect. 

It doesn’t take much more effort to build a comprehensive usage 
report for all shares on a hie server. I’ll save you the time: Take a 
look at Listing 2. Again, I can slice and dice $results any way I need. 
Figure 3 shows one approach. 
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Figure 2 

Easy-to-Read Output 
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PS C:\> Srcsults I sort SIzckb Descending I select Computer-name.share.Si 2 eKB.F 1 
les format-table -auto 


C.u-iputerna'ic 

Share 

SIZCKB 

Files 

CH1-FP01 

IT 

838430.37 

622 

CH1-FP01 

backup 

177074.56 

56 

CHI-FP01 

print! 

81824.61 

333 

CHI-FP01 

EventBackup 

63842.21 

13 

CHI-FP01 

sales 

40904.36 

96 

CHI-FP01 

Saves 

21951.2 

13 

CHI-FP01 

WebReportsS 

8717.97 

7 

CHI-FP01 

Public 

6582.55 

109 

CHI-FP01 

Executive 

2915 

46 

CHI-FP01 

scripts 

50.92 

6 

CHI-FP01 

logs 

5.93 

9 

CHI-FP01 

ChicagoSales 

0 


CH1-FP01 

Training 

0 


CHI-FP01 

Demo 

0 


P^A> 





Figure 3 

Usage Report for File 
Server Shares 


Get Files by Owner 

A variation on this theme is to find hie usage by owner. If you use 
quotas, you most likely already have reporting in place. Otherwise, 
all you need to do is retrieve the hie ACL, which includes the owner, 
and aggregate the results. I hnd that the best approach is to add the 
owner as a custom property: 


$data=dir | 

where {-not $_.PSIsContainer} | 
select name, @{Name="Owner";Expression= 

{(Get-ACL $_.fullname).Owner}}, length 

We can group this output by the new owner property, and then pro¬ 
cess the new object: 


$data | group owner | 

Select Name,Count,@{Name="Size";Expression= 

{($_.Group | Measure-Object -Property Length -sum).Sum}} 

With just a little effort, you can apply this approach to a hie share, 
as the code in Listing 3 does. I should also point out that you might 
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run into issues if filename paths are longer than 260 characters or 
if filenames contain any odd characters, especially if you attempt to 
run Get-ACL. In PowerShell 3.0, this cmdlet supports -LiteralPath, 
which helps. 

I’ll admit that some of these examples are getting to be a bit much 
to type—and they aren’t the only way to accomplish these tasks, 
but the point is that you can. You can also get by with less detail 
and structure for ad hoc style reporting. Figure 4 illustrates this code 
sample with the results formatted as an easy-to-read table. 
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Q 'Mndo*< o f S B 


» Sdata group property owner | 

» select '3{samc '"computer-name" ; Expression*!Senv:computer-name}}, 

» @{Namc "Path";Exprcssion»{Spath}} .Name, count,@{Name*"Size”; Expression^ 

» (S_. Group Measure-Object -Property Length -sum).Sum}} 

» } #sb 

» 

PS C:\> Sdata Invoke Command ScrlptBlock Ssb -ComputerName CHI-FPOi -ArguinentLl 
st @("c:\sharcs\publ1c") -HidcComputerName | 

» Select * -ExcludePropcrty RunspacelD 

» 

PS C:\> Sdata I Sort Size | format-table -auto 

computername Path Name Count Size 

CHI-FPOI c:\shares\publ1c GLOBOMANT ICS\1noh 1 23922 

CHI-FPOI c:\shares\publ1c GLOBOMANTICS\Jef f 23 137385 

CHI-FPOI c:\shares\publ1c GLOBOMANT ICS\jf rost 11 170585 

CHI-FPOI c:\shares\publ1c GLOBOMANTICS\adeco 2 171976 

CHI-FPOI c:\shares\pub11c BUILTIN\Adm1n1strators 22 573251 


>S c:\> 


Get Files by Age 

The last reporting technique that I want to demonstrate is building 
a hie aging report. Actually, what we’re creating is a collection of 
objects that we can re-use in several ways. You might want to use the 
objects to delete or move hies, or you might want to build a report 
that can be emailed to management. Always construct PowerShell 
commands with maximum reuse and flexibility in mind. 

Capturing hie aging is a tricky thing. In PowerShell, the hie object 
has several properties that you might want to use. For example, 

get-item c:\work\wi 

produces the out¬ 
put in Figure 5. 

I prefer to use 
Last WriteTime 
to indicate when 
a hie was last 
touched. I’ve seen situations in which LastAccessTime is updated 
through third-party tools such as virus scanners, which can lead to 
erroneous conclusions. And LastAccessTime has been disabled by 


shnst.txt | Format-List Name,*time 


Figure 5: File Aging Data 

Name 

wishlist.txt 

CreationTime 

11/23/2010 10:31:10 PM 

LastAccessTime 

11/23/2010 10:31:10 PM 

LastWriteTime 

2/15/2011 7:36:34 AM 


Figure 4 

Ad Hoc Reporting 
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default since the days of Windows Vista, although you can re-enable 
it. You also need to be careful because these values can change 
depending on whether you’re copying or moving a hie between vol¬ 
umes. Using this hie as an example, we can have PowerShell tell us 
how old the hie is, as Listing 4 shows. 



The Age property is a TimeSpan object, and the Days property is 
merely the TotalDays property of that object. But, because we can do 
this for a single hie, we can do it for all hies. Let’s look at my public 
share and hnd all the hies that haven’t been modihed in 400 days. 

dir c:\shares\public -recurse | 

Select Full name,CreationTime,LastWriteTime, 

@{Name="Age";Expression={(Get-Date)LastWriteTime}}, 
@{Name="Days";Expression={[int]((Get-Date) 

-$_.LastWriteTime).TotalDays}}, 

@{Name="0wner";Expression={(Get-ACL $_.fullname).Owner}} | 
Where {$_.Days -ge 400} | Sort Days -Descending 
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Lchi fpOl]: PS 

C:\> dir c:\shares\publ1c recurse I 

» Select Fullname.CreatlonTlmc.LastwrlteTime . 

» iHName 'Age 

Expression«{(Get Date) S_.LastwrlteTime}}. 

» <?{Namc»"Day 

Expression {[ Int]((Get Date)-S_.LastwrlteTime).TotalOays}}. 

» ia{Na?nc 'Owner':Expression«{(Get-ACL £_. fu llname) .Owner}} 1 

» Micrc {S_.Days -gc 400} | sort Days Descending 

» 

FullName 

C:\shares\publ1c\scr1pts\create HomcDoc.psl 

CreatlonTime 

8/8/2011 4:38:39 PM 

Lastwrl teTime 

1/10/2011 3:18:10 PM 

Age 

546.23:12:06.4263584 

Days 

547 

Owner 

GLOBOMANTICS\jeff 

Ful1Name 

C:\shares\publ1c\Rootk1tRevealcr.zip 

CreatlonTime 

8/8/2011 4:29:22 PM 

Lastwrl teTime 

1/22/2011 3:30:22 PM 

Age 

534.22:59:54.9392000 

Days 

535 

Owner 

BUILT INXAdrtn n 1 strators 


I went ahead and included the hie owner. Figure 6 shows the results 
from running this code in a remote session on my hie server. 

I could save these results to a variable and reuse them however I 
want. Because I have the full hlename, piping the variable to a com¬ 
mand such as Remove-Item wouldn’t be too difficult. 

Another approach to hie aging is to build a report, or object collec¬ 
tion, based on hie age buckets. A little more effort is involved; after 
we calculate or determine the age element, we need to add some 
logic to do something with it. 

One of my favorite techniques is to hnd out how many hies were 
last modihed, by year. Again, I’ll use the interactive remoting session 
on my hie server to demonstrate: 

dir c:\shares\sales -recurse | Select Fullname,LastWriteTime, 
@{Name="Age";Expression={(Get-Date)LastWriteTime}}, 
@{Name="Year";Expression={$_.LastWriteTime.Year}} | 
Group-Object Year | Sort Name 

As you can see in Figure 7, it looks as though some cleanup is in 
order. If I need more detail, I can always analyze the Group property, 
which is the collection of hies. 


Figure 6 

Running Code in a 
Remote Session 
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Figure 7 

Discovering Modified 
Files by Year 



.chl-rpOl]: PS C:\> dir c:\shares\sales -recurse | 

■> select Fullname.LastwriteTime, 

•> ijifNaine' ‘Age":Express1on»{(Get-Date) S_.Lastwr 1 teTime} } , 
■> i?sName*"Year”:Express1on»{S_.LastwrneTime. Year}} | 

■> Group-Object Year | Sort same 


Count 

Name 

1 

2005 

2 

2007 

26 

2008 

47 

2009 

5 

2010 

17 

2011 

3 

2012 


Group 

1 «{fu 

OlFU 

@(FU 

'3{FU 

@{FU 

0<FU 

@{FU 


11 Name 
11 Name 
11 Name 
11 Name 
11 Name 
11 Name 
11 Name 


C:\shares\ 

C:\shares 

c:\shares 

iC:\shares’ 

'C:\shares\ 

>C:\shares\ 

iC:\shares\ 


sales\ 

sales\i 

sales 

sales\ 

sales\ 

sales\ 

sales\ 


nap54g.txt; Last. 
mvpid.txt; Lastin'. 
2009 Syracuse St. 
0809red_0nlineTO. 
July 0ec2009.xls. 
Invoices; Lastwr. 
aspnet_cllent; L. 


[chl-fpOl]: PS C:\> 


Finally, what about aging buckets? It might be useful to know 
how many hies haven’t been modified in 30, 90, or 180 days. Unfor¬ 
tunately, there isn’t an easy way to use Group-Object for this, so I 
need to take a more brute-force approach; take a look at Listing 5. 
Figure 8 shows the result when I run this code against my scripts 
folder, which I know has a decent age distribution. My code doesn’t 
include the actual hies, but it wouldn’t be too difficult to modify my 
example. 
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Figure 8: File Modification Ages 

Path 

c:\scripts 

Over 

1418 

365Days 

295 

180Days 

183 

90Days 

191 

30Days 

88 

7Days 

18 


Creating File Shares 

Next, let’s look at how we can use PowerShell to create and manage 
hies and shares. Everything I’ve demonstrated up to now can work 
in both PowerShell 2.0 and 3.0 (although in PowerShell 3.0, you 
could simplify my examples in a few places). File server manage¬ 
ment in PowerShell 2.0 requires WMI and complicated scripting. But 
in PowerShell 3.0, especially if you have Windows Server 2012, this 
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PowerShell 
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mind. 


type of management is a thing of beauty. I’m going to switch gears 
and manage a Windows Server 2012 hie server from a Windows 8 
desktop so that I can take advantage of some new features. 

Everything we want is bundled into the SMBShare module, which 
is installed on Windows 8 by default. The commands in this module 
let us easily manage hie shares locally or remotely. I’m not going 
to cover every command, but they all follow a similar format and I 
strongly encourage you to read the Help and examples. We’ll begin by 
using the New-SMBShare command to create a new hie share. 

We need to specify a hie path, and unlike what happens when we 
use the GUI, the command doesn’t create the folder if it doesn’t exist. 
So we’ll create one and set the NTFS permissions. Doing so takes sev¬ 
eral steps. Since they must be done on the remote server, I’ll set up a 
PowerShell remoting session: 

$session=New-PSSession -ComputerName SRV2K12RC 

I could use this session interactively, but I’m going to run the com¬ 
mands by using Invoke-Command, which is preferable when you’re 
building an automated process. First, I’ll create the new folder: 

invoke-command -SeriptBlock {mkdir c:\shares\companyfiles} 
-Session {session 

Now for the tricky part. I want to set the NTFS permissions so 
that \JDHLAB\Domain Users have Change permission. This goal 
requires creating a new access rule, modifying the access rule list, 
and re-applying it to the folder. I’ll put the commands in the script- 
block that Listing 6 shows. I wrote this scriptblock so that it takes a 
parameter for the path, which makes it re-usable: 

Invoke-Command -ScriptBlock $sb -Session {session -ArgumentList 
c:\shares\companyfi1es 
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There are ways to streamline this process, but I kept the steps dis¬ 
tinct for the sake of clarity. Now we’re ready to create the share. 

I could use the session, but I want to demonstrate how you might 
use the New-SmbShare command to remotely connect to a hie server: 


New-SmbShare -Name Files -Path c:\shares\companyfiles 
-CimSession SRV2K12RC -FullAccess "jdhlab\domain admins" 
-ChangeAccess Everyone -Description "Company files" 


The default share-access permission is Readonly. I’ve granted 
domain admins Full Control on the share, and everyone else has 
the Change permission. The path is relative to the remote computer, 
which must be running PowerShell 3.0. 


Advanced Share Settings 

We can look at our share any time by using the Get-SMBShare com¬ 
mand, as you can see in Figure 9. We can set a few extras with our hie 
shares, such as whether to encrypt the SMB connection, which type 
of folder enumeration mode to use, and which type of caching mode 
to use. I’m going to use Set-SMBShare to fine-tune the share that I 
just created, as Listing 7 shows, because I neglected to define these 
properties during the share’s creation. 


When you're looking 
for specialized 
reporting or 
provisioning 
automation, 
PowerShell is your 
best bet. 
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Administrator: Windows PowerShell 


|PS C:\> Get-SmbSnare -Name Files -CimSession SRV2K12RC 

|Name ScopeName Path Description 

|Files * c:\shares\companyfiles Company files 

IPS C:\> Get-SmbShare -Name Files -CimSession SRV2K12RC | select * 


PSComputerName 

SRV2K12RC 


PresetPathAcl 
ShareState 
Avai 1 abi 1 ityType 
ShareType 

FolderEnumerationMode 

CachingMode 

CATimeout 

ConcurrentUser Limit 

ContinuouslyAvai 1abl e 

CurrentUsers 

Description 

EncryptData 

Name 

Path 

Scoped 

ScopeName 

SecurityDescriptor 

ShadowCopy 

Speci al 

Temporary 

Volume 

PSComputerName 

CimClass 

CimlnstanceProperties 
CimSystemProperties 


PS C:\> 


Online 
Nonclustered 
Fi 1 eSystemDirectory 
Unrestricted 
Manual 
0 
0 

False 

0 

Company files 

False 

Fi 1 es 

c:\shares\companyfi 1 es 
False 

0:BAG:DUD: (A;; FA;;; DA) (A;; 0xl301bf;;; WD) 

False 

False 

False 

\\?\Volume{83cce864-bf2c-llel-bbba-806e6f6e6963}\ 

SRV2K12RC 

root/microsoft/windows/smb:MSFT_SmbShare 

{Availabi li tyType, CachingMode, CATimeout, ConcurrentUserLimit—} 
Microsoft.Management.Infrastructure.CimSystemProperties 


Figure 9 

Using Get-SMBShare 
to Review a Share 


Listing 7: Fine-Tuning a Share 


PS C:\> Set-SmbShare -Name Files -EncryptData $True 
-FolderEnumerationMode AccessBased -CachingMode 
Documents -CimSession SRV2K12RC 

Confirm 

Are you sure you want to perform this action? 

SRV2K12RC: Performing operation 'Modify' on Target Files'. 

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] 
Help (default is "Y"): 


I applied this change to a single hie share, but it would have been 
just as easy to use Get-SMBShare to retrieve all file shares and then 
pipe them to Set-SMBShare and apply a change to all of them: 
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Get-SMBShare -CimSession SRV2K12RC -Special SFalse | 
Set-SmbShare -EncryptData $True -Confirm:$false 

This command retrieved all the shares (except administrative shares) 
on SRV2K12RC and set the EncryptData property to True. I didn’t 
want to answer a prompt for each share, so I set the -Confirm switch 
to False. Set-SMBshare won’t write anything to the pipeline unless 
you use -Passthru. But I was able to modify everything with one sim¬ 
ple command. 

Removing Shares 

The last thing to look at is removing a share. The code in Listing 8 
stops sharing the share that I just created. Could it get any easier? Of 
course, the folder structure is still in place on the hie server. 



Putting It All Together 

Let’s wrap this up by putting all the management pieces together in 
one place: a PowerShell workflow. I don’t have space to cover this 
terrific addition to PowerShell or to go into my code sample, but the 
great thing about a workflow is that I can have some commands run in 
parallel. For example, after the folder is created, I can create the share 
and set the NTFS permissions at the same time, as Listing 9 shows. 
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Listing 9: Creating a Share and Setting NTFS Permissions 


Workflow New-FileShare { 

Param( 

[string]$Name, 

[string]$Path, 

[string]$Principal, 

[string]$Right="Modify" 

) 

#This must be done first. 

Sequence { 

#create the folder 

Write-Verbose -Message "Creating new folder $path on 
Spscomputername" 

Snewfolder = New-Item -Path Spath -ItemType Directory 

} 

#Then this step can happen. 

Sequence { 

Parallel { 

#these commands can happen in parallel 
InlineScript { 

Write-Verbose -Message "Modifying NTFS permissions" 
Write-Verbose -Message "Creating entry for 

Susing:principal with a right of $using:Right" 
$entry=New-Object -typename System.Security 

.AccessControl.Fi1eSystemAccessRule -argumentlist 
$using:Principal,Susing:Right,"allow" 

#get the existing ACL 

Sacl = Get-ACL -path $using:path 

#add the new entry 

Sacl.AddAccessRule(Sentry) 

Write-Verbose -Message "Applying the new ACL" 
Set-Acl -Path Susing:path -AclObject Sacl 
} #inline 

#Create the share. 
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This workflow creates a new folder and file share, assigning per¬ 
missions to a user or group. I can execute this workflow from my 
Windows 8 desktop and have it run on my Windows Server 2012 hie 
server by using the following command (which should be entered on 
one line). 

New-FileShare -Name adeco' 

-Path c:\shares\adeco 
-Principal jdhlab\adeco 
-Right "FullControl" 

-PSComputerName SRV2K12RC 

The process takes only a few seconds. You can see the results in 
Figure 10. 
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S Administrator: Windows PowerShell 


D S C:\> New-FileShare 

Name adeco -Path c:\shares\adeco -Principal 

jdhlabyadeco -Right 

"FullControl" -PSComputerName SRV 

2K12RC 




Name 

ScopeName Path 

Description 

PSComputerName 

adeco 

* c:\shares\adeco 

File share for 

jdhla... 

PSSourceDoblnstanceld 

f28f05db-f6de-474b-80bf-966bf629fd2d 



AccessControlType 

Al 1 ow 



AccessRight 

Full 



AccountName 

JDHLAB\domain admins 



Name 

adeco 



ScopeName 

- 



PSComputerName 




PSSourceDoblnstanceld 

f28f05db-f6de-474b-80bf-966bf629fd2d 



AccessControlType 

Al 1 ow 



AccessRight 

Change 



AccountName 

JDHLAB\adeco 



'lame 

adeco 



ScopeName 

* 



PSComputerName 




PS C:\> 





Figure 10 

Creating File Shares 
with a PowerShell 
Workflow 


Download 



Download the code 


There’s nothing wrong with using the GUI to manage your hie serv¬ 
ers. But when you’re looking for specialized reporting or provisioning 
automation, PowerShell is your best bet. 

You can download a copy of my code samples from the Windows 
IT Pro website. If you have questions about any of these examples (or 
other PowerShell issues), use the forums at PowerShell.org. ■ 

InstantDoc ID 143789 
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Center 2012 Data 
Protection Manager 

Enhanced backup and disaster recovery 

A ccording to Enterprise Strategy Group (ESG), the number-one 
IT spending priority in 2012 was improving data backup and 
recovery , tied with increased use of server virtualization . Inter¬ 
estingly enough, improving business continuity or disaster recovery 
(BC/DR) scored in the top 10 as well. There are two key reasons. First, 
commoditization of virtualization has made many IT processes easier 
but makes backups more difficult. Second, data is growing faster than 
most organizations can manage it, and legacy backup solutions are 
choking to keep up. Other factors include an ever-growing reliance on 
IT (forcing raised prioritization of BC/DR) and the consumerization 
of IT (causing new protection scenarios for privately owned endpoint 
devices). Add the growing complexities of backing up and recovering 
Microsoft workloads (e.g., Microsoft SQL Server, SharePoint, Exchange 
Server, Hyper-V, Windows Server hie services), and you can under¬ 
stand why Microsoft started building its own data-protection solution. 

Microsoft introduced Volume Shadow Copy Service (VSS) in 2003, 
but that only worked if the backup and storage vendors chose to uti¬ 
lize the VSS APIs. Microsoft needed to assure customers that they had 
a viable (and supported) backup-and-recovery capability, as part of 
sustaining (or raising) customer satisfaction and adoption of Windows 
Server. With supportability and workload adoption in mind, Microsoft 
released Data Protection Manager (DPM) 2006 in late 2005. This disk- 
to-disk protection capability was optimized for branch office hie serv¬ 
ers and served to augment a legacy tape-based solution. 
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Eighteen months later, DPM 2007 brought application protection 
for Microsoft workloads, as well as added tape support. This release 
changed the dynamic with Windows-centric backup vendors. 

DPM 2010 offered further enhanced workload and tape support and 
added client-node protection. This change enabled Windows laptops 
to be backed up and recovered, even when connected via the Internet 
or disconnected from a local backup cache. In addition, the basic rep¬ 
lication features for DR were augmented, and monitoring (via System 
Center Operations Manager) was enhanced. Arguably, with three ver¬ 
sions and 5 years of experience in market, DPM offered a credible mid¬ 
market backup solution, especially for those customers who ran “pure 
Microsoft” environments. Then came DPM 2012. 

System Center 2012 DPM 

In April 2012, Microsoft announced general availability of Microsoft 
System Center 2012, which comprises numerous—and in some cases, 
formerly separate—products, one of which is DPM. DPM in System 
Center 2012—informally referred to as DPM 2012—has three comple¬ 
mentary focus areas: 

• Evolve from a small-to-midsized business (SMB) and midmarket 
offering to something that’s credible for large-scale enterprises (or 
at least for the Windows-based nodes within an enterprise). 

• Integrate and interoperate with the rest of the System Center 
family, not only for “better together” data-protection capabili¬ 
ties, but also to remain relevant within the Microsoft-driven 
management story. 

• Continue to evolve core features and workload support, refine 
experience, and resolve engineering issues. 

Centralized Administration via Operations Manager 

Easily the most noticeable and important enhancement in DPM 
2012 is the addition of the Central Console, through System Center 
2012 Operations Manager. Operations Manager has been monitoring 
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DPM for a few years wifh varying success, but System Center 2012 
provides not just complete monitoring but also management for its 
backup product. 

Previously, a DPM administrator needed to maintain a Microsoft 
Excel spreadsheet detailing which production servers were protected 
by which DPM server. Any configuration, troubleshooting, or restora¬ 
tion requests required you to connect, via Terminal Server, to the con¬ 
sole of a particular DPM server. Although these requirements weren’t 
horrible in midsized organizations, they were painful enough that 
large enterprises, which likely owned the entire System Center suite 
license, would leave the DPM components on a shelf. System Center 
2012 changes this situation, not only for DPM 2012 servers but also 
for DPM 2010 servers. That’s right: By adding even one DPM 2012 
server and an Operations Manager 2012 server, your existing DPM 
2010 servers gain centralized management as well. 

Management, not just monitoring. In the left pane of Operations 
Manager, you can expand what initially appears to be just another 
DPM management pack. From there, you can check the status of 
DPM servers, protected servers (including predefined subsets based 
on workloads such as SQL Server or Exchange), and alerts (e.g., 
tape media alerts, failed jobs, disk capacity issues). As is typical 
in Operations Manager, when you select a particular alert in the 
center pane, several other portions of the console change. Detailed 
information about the alert appears in the bottom-center portion of 
the console, and context-specific actions appear in the right pane, 
as shown in Figure 1. 

This is where things get good. Every Operations Manager man¬ 
agement pack comes with a wealth of knowledge about symptoms, 
likely causes, and recommended resolution actions. The DPM pack 
is no exception. Whenever you click an alert in the top-center pane 
of the console, the bottom-center pane displays the known informa¬ 
tion about the alert, including suggested resolution actions (which 
are often direct hyperlinks, such as Restart Service). Along with the 
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Figure 1 

DPM Server Alerts in 
Operations Manager 
Console 



DPM 2012 is a 
credible part of the 
System Center 
2012 feature set. 


specific action listed in the Knowledge Base, the right pane of the 
Operations Manager console often offers actions, some of which 
(e.g.. Ping Server) are generic and others of which (e.g.. Modify 
Disk Allocation in Storage Pool) are specific to the platform being 
managed. 

Focused troubleshooting. Imagine a DPM backup job failing 
because its storage pool has been maxed out (and autogrow hasn’t 
been enabled). When the job fails. Operations Manager receives an 
alert. Operations Manager will likely receive several alerts because 
the disk capacity can affect multiple jobs. Operations Manager bub¬ 
bles up an alert to be serviced (and to notify the Operations Manager 
administrator accordingly). At this point, you (as the administrator) 
might see the hyperlink in the Knowledge Base, or you might simply 
click Modify Storage Allocation in the right pane. In either case, the 
mini-wizard UI that was previously seen within the DPM console 
now pops up within Operations Manager. From there (i.e., without 
using any DPM UI or Terminal Services screen), you can change the 
storage allocation. After doing so, you can use another action in the 
right pane to Restart Backup Job, and you’re done. 
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Before DPM 2012, you needed either to routinely check each DPM 
server’s alert page (by connecting Terminal Services to each con¬ 
sole) or to react after an early Operations Manager management pack 
alerted you (which also required a Terminal Services connection). 

Most (though not all) common management tasks can now be 
performed as actions within the Operations Manager UI. For those 
(far fewer) times when you need to connect to a particular DPM 
server for specific troubleshooting tasks, you can also do so through 
the Operations Manager UI. Clicking a DPM server and selecting 
Connect to brings up a scoped-down DPM UI, in which the terminal 
session is created behind the scenes. This UI shows the tabs that are 
necessary to resolve the issue. The protection groups are filtered, 
and the Alerts and Jobs tabs are scaled back to show only the infor¬ 
mation that’s related to the error or errors, as shown in Figure 2. 



Figure 2 

DPM UI Invoked from 
Operations Manager 


Role-based management. Another benefit of using Operations Man¬ 
ager as the primary console for DPM is something that DPM admin¬ 
istrators have clamored for: role-based management. Prior to DPM 
2012, you needed to be a local administrator of each DPM server, and 
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you often needed to have raised privileges on every production server 
that you were protecting or recovering to. 

With System Center 2012, the role-based management capabilities 
of Operations Manager can be used to scope a DPM administrator 
to one of several preconfigured or manually configured roles. Some 
roles or capabilities include the following: 

• Monitor backup jobs (only) 

• Debne new protection policies 

• Restore data 

• Monitor and manage tape media 

Figure 3 shows an example of only a few of the predefined roles and 
their permissions within DPM. 

Figure 3 

Table of Predefined 
DPM Roles Within 
Operations Manager Ul 


Actions 

Read Only 
Operator 

Reporting 

Operator 

Help Desk 
Operator 

Recovery 

Operator 

Escalation 

Engineer 

Tape [Tape Admin 

Operator 

DPM Admin 

View lobs & Alerts 

Y 

N 

Y 

Y 

Y 

Y 

Y 

Y 

Manage Reports 

N 

Y 

N 

N 

N 

N 

N 

Y 

Resume Backups 

N 

N 

Y 

N 

Y 

Y 

Y 

Y 

View Recovery Calatog 

N 

N 

N 

Y 

N 

N 

Y 

Y 

Recover (From Disk & Tape) 

N 

N 

N 

Y 

N 

N 

Y 

Y 

Create Recovery Point 

N 

N 

N 

N 

Y 

Y 

Y 

Y 

Run Consistency Check 

N 

N 

N 

N 

Y 

N 

N 

Y 

Modify Disk Allocation 

N 

N 

N 

N 

Y 

N 

N 

Y 

Enable / Disable Tape Drive 

N 

N 

N 

N 

N 

N 

Y 

Y 

»erform Fast Inventory 

N 

N 

N 

N 

N 

Y 

Y 

Y 

Manage Protection 

N/A N/A 

N/A 

N/A 

N/A N/A 

N/A 

Y 

Agent Management 

N/A N/A 

N/A 

N/A 

N/A N/A 

N/A 

Y 

Storage Management 

N/A N/A 

N/A 

N/A 

N/A N/A 

N/A 

Y 


New DPM Interface and Workload Enhancements 

With all the excitement about using Operations Manager as the pri¬ 
mary UI for DPM, one might not initially notice that the DPM-specific 
UI also received an update. Using the same framework as the other 
System Center 2012 components, DPM 2012 uses what some refer to 
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as the “Outlook” style: a prominent ribbon across the top, key opera¬ 
tion areas in the left pane (including pane buttons in the lower left), 
and a context-sensitive right body window, as shown in Figure 4. 


DPM 2012 



Figure 4 

New DPM 2012 
Interface 


Each release of DPM continues to confirm Microsoft’s commit¬ 
ment to offering a “best-of-breed” solution exclusively for Microsoft 
workloads, including Windows desktops and hie servers, as well as 
application servers such as SQL Server, Exchange, SharePoint, and 
Hyper-V. 

Enhanced Hyper-V protection. DPM 2012 takes the file-system fil¬ 
tering technology that it uses to protect other workloads’ hies and 
databases and applies the same approach to protecting Virtual Hard 
Disk (VHD) hies. For those familiar with VMware vStorage, this filter¬ 
ing technology is similar to the VMware ESX Changed Block Tracking 
(CBT) function of monitoring and noting changed blocks as they occur. 
When it’s time for a scheduled backup, the change log fetches and 
transmits only those blocks. As a result, backup of virtual machines 
(VMs) occurs much more quickly and with very little overhead. As I 
mentioned, Microsoft has used this methodology since DPM 2006 but 
added it to Hyper-V, along with the enhancements in DPM 2012 and 
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some behind-the-scenes updates to VSS, only as of Windows Server 
2008 R2. Because this process is less I/O-intensive on the hypervisor 
and VMs, another result of the enhancement is the enablement of 
more frequent backups. 

Virtualized backup servers. Also related to virtualization and DPM, 
the backup server can now be virtualized. You could run a virtualized 
DPM 2010 server, but you sacrificed a few key capabilities, such as 
file-level recoveries of VMs. (Virtualized instances of Windows Server 
2008 don’t support mounting a VHD inside a VM because mounting 
a VHD was part of the Hyper-V role, which isn’t available within a 
VM in Server 2008.) Because of enhancements in DPM 2012, along 
with its prerequisite of Server 2008 R2 (which has the native ability to 
mount a VHD), virtualized DPM 2012 servers can restore individual 
hies or directories from a hosf-based backup of a VM. 

Optimized SharePoint restores. Although DPM has almost always 
been able to offer single-file restores from a SharePoint farm, the pro¬ 
cess hasn’t always been smooth. Every release of DPM gets better 
at restoring SharePoint, in part because of SharePoint’s continued 
evolution. 

• DPM 2007 needed to use Microsoft Office SharePoint Server 
2007’s Recovery Farm option to restore an entire content database, 
which would then restore single hies. 

• DPM 2010 no longer required a Recovery Farm because Microsoft 
Office SharePoint Server 2010 didn’t. Instead, it could recover the 
content database to any instance of SQL Server on the intranet, 
and then restore a hie, although it still needed to recover the data¬ 
base hrst. 

• DPM 2012 restores the hie only. It mounts the database within 
its backup storage pool, using its own running instance of SQL 
Server, and then plucks out the hie for easy and fast restores. 

What might have taken an hour in DPM 2010 (to recover the database 
hrst) now takes around 20 seconds in DPM 2012. Nice job! 
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Generic data source protection. Microsoft has always aspired for 
DPM to be the best for Microsoft backups and restores. With System 
Center 2012, Microsoft is reaching for DPM to be the best for Windows. 

Although not a fully developed feature, DPM 2012 opens the door 
to protect other (non-Microsoft) workloads that run on Windows. 
Essentially, Windows already provides the core plumbing for any 
Windows-based application to be systematically protected through 
VSS functionality. 

• VSS requesters are components of the backup agent. These com¬ 
ponents request that an application prepare its data for protection. 

• VSS writers are components of the workload (e.g., SQL Server). 
These components receive VSS requests and then prepare the data 
for protection by performing functions such as flushing database 
transactions in memory, checkpointing databases, and so on. 

• VSS providers operate at the storage layer and are provided by either 
the hardware array or the software VSS provider within Windows. 


DPM can play a key 
role in your overall 
backup and 
protection 
solution. 


With DPM 2012, Microsoft has started providing guidance that 
enables any application with a VSS writer to be visible for protection 
by the DPM backup agent. In addition, other application owners can 
create an XML hie that describes the behaviors that an application 
should perform, essentially enabling the Windows hie system’s VSS 
writer to then protect the data. 

It will be interesting to see whether other Windows-based applica¬ 
tions will perform the minor (but incremental) work to deliver their 
own VSS writer and script an XML hie for this use. One might also 
hope that Microsoft will do some of the heavy lifting for strategic 
workloads that have previously precluded adoption of DPM because 
they weren’t protectable, such as Oracle or IBM Lotus Notes. 

Integration Across System Center 

Operations Manager isn’t the only component of System Center 2012 
with which DPM is integrated, although some of the other integrations 
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actually pass through Operations Manager to be realized. Without 
these integrations, DPM couldn’t be a fully credible and enterprise¬ 
worthy member of the System Center family. 

System Center 2012 Orchestrator runbooks. Like the automat¬ 
able tasks of the other System Center components, DPM tasks can be 
scripted as activities within an automation runbook in System Center 
2012 Orchestrator. If you’re automating the import of data into a data¬ 
base, you might add a DPM task to create a recovery point (backup) 
immediately before the import. Later in the runbook, you can auto¬ 
mate a restore to that recovery point if the data import is unsuccessful. 

Similarly, when combined with dynamic provisioning tasks in a 
Microsoft private cloud architecture, a runbook that’s invoked to cre¬ 
ate a new VM (through its self-service portal) can tell DPM to create 
a protection policy for the data in the newly launched service. 

System Center 2012 Service Manager tickets. Just like any other 
alert in Operations Manager, DPM alerts can result in System Center 
2012 Service Manager tickets for resolution. Those tickets are cleared 
when Operations Manager determines that the alerts have been 
resolved (or selected to ignore). Service Manager service requests 
can also be used to invoke data-protection activities such as creating 
a recovery point (backup) or initiating a restore. Those kinds of tasks 
are facilitated from either the canned actions within Operations Man¬ 
ager or the runbooks within Orchestrator. 

System Center 2012 Configuration Manager deployments. One of 
the other new features in DPM is a more scalable (enterprise) way 
of deploying DPM agents through Configuration Manager. DPM 2012 
works through Operations Manager and Configuration Manager to 
become aware of new protectable machines that are added to the 
managed domains of an intranet. When this happens. Configuration 
Manager can automatically deploy the DPM agent as it would any 
other software package. 

New in DPM 2012 is an awareness, via policies, of which DPM 
server should protect which production machines. When Operations 
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Manager detects a freshly installed agent, it uses the policies to deter¬ 
mine which DPM server should protect that machine and creates a 
connection package within Configuration Manager. Configuration 
Manager deploys the package, whose simple script creates the glue 
from any particular machine to the correct DPM server. In doing this, 
DPM agent installations can be completely automated, from connec¬ 
tion through the application of a protection policy. 

The Bigger Picture 

DPM 2012 is a credible part of the System Center 2012 feature set. With 
proper usage, it could be a boon to private cloud deployments, as well 
as a low- or no-cost (for organizations that already own System Center) 
solution that’s ideal in branch offices. But few organizations will think 
of using it, perhaps because of a few missing features that the sta¬ 
tus quo backup solution recently added or because the organization’s 
Microsoft representative hasn’t demonstrated it yet. 

System Center 2012 isn’t just Operations Manager plus Systems 
Management Server and some other management tools thrown 
together. It really is a suite. Microsoft would like you to look at Sys¬ 
tem Center as one product, based on licensing. But one look at the 
installation directories will assure you that although the bits might be 
highly interoperable, there are still multiple server back ends, agent 
installables, and management interfaces to be used. (One can only 
hope—or assume—that even further unification and consolidation 
will take place in the next System Center release.) 

There are still a few features needed to bring DPM to parity with 
other Windows-centric solutions, particularly around deduplication. 
Windows Server 2012 will help, but its deduplication is still restricted 
to per-volume deduplication, which won’t benefit DPM backup serv¬ 
ers nearly as much as solutions that can use EMC Data Domain Boost, 
HP StoreOnce Catalyst, or NetApp optimized storage stacks. Today, 
backup leaders are innovating deduplication beyond just the disk in 
the backup servers’ storage pool, to optimize transmission from the 
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backup server or even the production application. DPM now has the 
management features and scale capabilities that larger enterprises 
need, but the lack of deduplication holds it back. 

Choosing one’s backup solution is about trust, often based on per¬ 
ceived product capability and company commitment to the solution. 
Ask your Microsoft direct sales engineer or Microsoft partner to dem¬ 
onstrate virtualization provisioning or automation and monitoring in 
System Center 2012. You’ll be amazed at the capabilities. Ask for a 
demonstration of backup or DR, and you’ll see that although DPM 
backup tasks are noticeably missing from many training and demo 
scenarios, DPM can still play a key role in your overall backup and 
protection solution. ■ 
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The new client OS represents radical departure from previous Windows versions 


W indows 8, Microsoft’s latest client OS, features a new UI designed to be tablet 
touch-friendly, and became available to customers via software upgrades or 
with new PC purchases on October 26, 2012. Windows 8 represents a radical 
departure from previous Windows versions and is arguably the most dramatic upgrade 
Microsoft has yet developed. 

The system is essentially a brand-new mobile platform that has been melded onto the 
traditional Windows desktop, giving users what Microsoft calls a “no compromises” experi¬ 
ence that blends the best of mobile with the best of Windows. Windows IT Pro brings you 
ongoing coverage of Windows 8, with in-depth treatment of significant features, breaking 
news, and analysis. Visit our Windows 8 page for the latest news and technical features. ■ 
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Product News 
for IT Pros 

Kerio Puts Connect in a Private Cloud 

❖ KERIO Dusan Vitek, vice president of worldwide marketing for Kerio 
Technologies , recently said, “You hear sometimes one size fits all. 
I don’t think that’s quite true. With IT, I think one size fits nobody. 
There are good reasons why somebody would want to deploy Kerio 
Connect on prem, and very good reasons why somebody would want 
to outsource the infrastructure part of it and just have control of the 
administration of the service. ” 

Vitek’s comment was part of a discussion about Kerio’s latest 
announcement, which introduces Kerio Cloud, the company’s self- 
hosted cloud infrastructure for Kerio Connect, a cross-platform email 
and calendaring server aimed at small-to-midsized businesses (SMBs). 
Previously, Kerio has allowed partners to provide Kerio Connect as a 
hosted service, but with Kerio Cloud, the company is providing a pre¬ 
configured, Linux-based Kerio Connect 8 virtual machine (VM). 

In addition to the news about Kerio Cloud, Kerio Connect 8 adds 
greylisting for added spam defense. Provided as a cloud service, grey¬ 
listing delays messages from any unknown senders, requiring the 
sending server to queue and resubmit the message—which spam¬ 
mers typically won’t do. To avoid delaying messages for legitimate 
senders, the Kerio Greylisting Service maintains a database of “trust¬ 
worthy senders” based on information from greylisting-enabled Con¬ 
nect servers around the globe. 

Although Kerio Cloud is a major new move for Kerio, the com¬ 
pany will continue to offer Kerio Connect in the on-premises ver¬ 
sion as well, which goes back to knowing the market and providing 
your customers the opportunity to choose the deployment method 
that suits their needs. However, it’s through recognizing increasing 
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interest in the cloud that Kerio has made the current move. Now cus¬ 
tomers and partners can choose how best to proceed. Read more in 
B. K. Winstead’s “Kerio Puts Connect in a Private Cloud.” 


BeyondTrust Acquires Blackbird Group 

The news that BeyondTrust acquired Blackbird Group will especially q beyondtrust 

interest those in the Active Directory (AD), systems management, 

and security spaces. BeyondTrust is a provider of Context-Aware 

Security Intelligence solutions, whereas Blackbird Group is known 

for its AD management suite and other AD and auditing products. 

BeyondTrust says it will leverage the Blackbird product line to drive 
additional context and awareness around AD and infrastructure com¬ 
ponents by offering real-time auditing capabilities for both privileged 
and normal users. 

The acquisition continues the shakeup and consolidation in the 
AD space, and you might recognize previous players resurfacing: 

“Having previously led NetPro Computing, I understand the impor¬ 
tance Active Directory plays within the enterprise,” said Kevin 
Hickey, president and chief operating officer at BeyondTrust. “We’re 
excited to continue the development of Blackbird’s product line and 
provide a solid, seamless integrated management approach to Win¬ 
dows infrastructure.” 

Blackbird’s downloadable community tools will continue to be 
available. For now. Blackbird will operate as a business unit within 
BeyondTrust, then rebranding will be looked at near the end of the 
first quarter; the company will maintain all support contracts. For 
more information, see the BeyondTrust website. 


Rackspace Calms Hosting Fears 

We spoke with Jeff DeVerter, SharePoint architect at Rackspace , and 
Shane Young, SharePoint MVP at Rackspace, during the recent Micro¬ 
soft SharePoint Conference 2012. The hosting solutions and managed 
hosting company this year beefed up its SharePoint presence with the 
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acquisition of long-time associate, SharePoint911, a SharePoint con¬ 
sulting and training company. We talked about SharePoint 2013, Rack- 
space going open source, and hosting fears. About that latter point, 
DeVerter said that people’s greatest fear is “that their data doesn’t 
sit in their data center. They think that if if’s in their data center, it’s 
more secure. But we have data centers worldwide. When a company 
comes to us for managed hosting, they get their dedicated storage. 
They’re sharing the Internet pipe coming in, but it’s their own routers 
and no other customer is accessing it. We don’t do multi-tenant.” For 
more of this interview, see Caroline Marwitz’s “ You Could Figure Out 
How to Manage Multiple SharePoint Farms Worldwide, Or— 

Piriform Celebrates 1 Billion Downloads of CCleaner 

Piriform announced that its CCleaner utility has surpassed 1 billion 
downloads. The popular PC optimization tool has been installed on 
approximately one quarter of the world’s PCs. CCleaner helps a com¬ 
puter run like new by removing unnecessary hies, including unused 
and temporary hies. It clears Internet and download history, elimina¬ 
ting digital “traces” that can compromise privacy, resulting in a faster, 
cleaner, and more secure computer, with maximized hard disk space. 
Piriform also offers more advanced CCleaner software packages for 
small business and enterprise environments, including CCleaner 
Professional, CCleaner Business Edition, CCleaner Network Profes¬ 
sional, and CCleaner Tech Edition. These editions include additional 
features, such as remote deployment, management, scheduling, net¬ 
work reporting, the ability to clean across prohles, and much more. 
For more information, check out the Piriform website . 

Imation Announces IronKey Workspace 
for Windows To Go 

Imation announced the beta availability of its IronKey Workspace, 
certihed for deployment of Windows To Go. The IronKey Workspace 
lets organizations outht mobile professionals with a secure, fast USB 
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platform to run Windows To Go from a USB stick on multiple com¬ 
patible PCs, an ideal solution for teleworkers, contractors, and those 
implementing Bring Your Own Device (BYOD) strategies. The IronKey 
Workspace is certified for deployment of Windows To Go, a feature 
of Windows 8 that lets enterprise users boot a full version of Win¬ 
dows 8 from an external USB drive on compatible host PCs. Orga¬ 
nizations running Windows 8 Enterprise can provision a Windows 
desktop onto the IronKey Workspace to create a PC on a Stick, with 
the OS and data contained on the USB drive, while still leveraging the 
host PC’s hardware and resources, such as monitors, cameras, and 
network connections. The IronKey Workspace provides a fast, easy, 
and cost-effective way to empower mobile workers with Windows To 
Go. To learn more, check out the Imation website. 


triCerat Releases Simplify Profiles 5.6 

Simplify Profiles saves systems administrators countless hours by 
replacing cumbersome Group Policies and administrative templates 
with an intuitive drag-and-drop interface that allows you to set 
and maintain the application details that users need to be efficient 
throughout the day. The result is a seamless work experience as 
accurate profile information is delivered to the correct user at every 
logon session, regardless of location. The newly released Simplify 
Profiles 5.6 provides greater support of the profile environment with 
enhanced configurability and improved mobility. Feature highlights 
include App-V support (which delivers the benefits of Simplify Pro¬ 
files to Remote Desktop Services, XenApp, XenDesktop, and VMware 
View deployments running App-V applications), Connect/Disconnect 
Mode (which allows users to sync user profile data when they discon¬ 
nect from and reconnect to their applications), and Environmental 
Variable Support (which increases user profile configurability). For 
more information, see the triCerat website. ■ 
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Symantec Backup 
Exec 3600 

C reating consistent, reliable backups of business-critical data 
continues to be a challenge in organizations of all sizes. This 
problem is particularly acute for small-fo-midsized businesses 
(SMBs) that don’t have the resources necessary to put in place a 
proper backup regimen. Some organizations rely on backup utili¬ 
ties that come with their OS or application software, whereas others 
employ a manual system in which multiple copies of hies are created 
in many different places. Consequently, these organizations are plac¬ 
ing themselves at risk. They might have lost, corrupted, or incom¬ 
plete data, which can lead to an interruption in business operations 
when they need to restore hies from backups. 

The Symantec Backup Exec 3600 is designed to remove many of 
the headaches, problems, and uncertainties of backups for SMBs, yet 
it packs many features that will appeal to enterprises. Symantec’s 
goal was to produce an appliance that a user with a moderate amount 
of IT skills could get running in around 45 minutes. I believe that 
someone with far less skill could get it running much faster, espe¬ 
cially when accepting the default options during the installation. 

Getting Started 

The Symantec Backup Exec 3600 comes in packaging that belies its 
actual size. The size of the shipping box is typical for a full 1U or 
even 2U appliance. When you open the box, you’re confronted with 
an impressive amount of foam padding designed to protect a much 
smaller 1U device, as Figure 1 shows. Also included in the box are 
standard rack rails and a welcome kit that contains everything you 
need to get the device up and running: all the cables, complete instruc¬ 
tions in a printed booklet, and a USB thumb drive, which you can use 
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Figure 1 

Symantec Backup 
Exec 3600 



to restore the device to its factory settings if ever required. A lot of 
thought and care has gone into the packaging, and it definitely shows. 

I got the appliance out of the packaging, attached the power cables, 
and powered it on in less than five minutes. Following the instruc¬ 
tions in the printed manual, I attached the device’s first Ethernet port 
to my laptop’s Ethernet port, configured an IP address on my laptop, 
opened up my web browser, and connected to the management inter¬ 
face. The printed manual walks you through configuration, but this 
walkthrough isn’t really necessary due to the clear instructions pre¬ 
sented through the web interface and online Help hies. Still, a printed 
manual is a very nice touch and handy, too. All told, I had the device 
up and running in around 30 minutes, which includes the time taken 
to customize some configuration options. If I had accepted all the 
defaults, it would have been much quicker. 

During configuration, the appliance begins to reveal a little about 
itself. It’s designed to work in Windows forest and domain environ¬ 
ments, and you’re prompted to join a domain. If you’re going to use 
the appliance to back up Windows servers and desktops, you’ll want 
to join a domain. Although the appliance can be used without joining 
a domain, the configuration isn’t as simple and might present prob¬ 
lems for organizations without experienced IT staff. The appliance 
itself runs on Windows Storage Server 2008 R2. 

There are five Ethernet ports on the appliance, with the first port 
dedicated for the management interface and the fifth port dedicated to 
Symantec technical support. That leaves three ports you can use. Once 
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Restoring folders 
and files to servers 
and desktops is just 
as simple as 
creating backup 
jobs. 


the appliance is configured and restarted, you plug it into your regular 
network using one of these other Ethernet ports. Afterward, you open 
your browser, connect to the appliance, log on, and launch the man¬ 
agement applications. The management applications are simply RDP 
configuration files that your Windows system will use to establish a 
remote desktop connection to the appliance. You then log on using an 
Active Directory (AD) account that has the rights to log on to a server, 
which is any account that is a member of the Domain Admins group. 
You can also log on using the built-in administrator account (whose 
password you can change during the initial configuration). 

My only criticism of the appliance’s configuration process is that 
the crucial step of connecting to the device to manage it is poorly 
documented in the printed manual. However, the documentation in 
the online manuals, which you can download from the device as PDF 
hies, is better. 


Managing Backup and Restore Operations 

When you log on to the appliance, the UI opens for the Backup 
Exec software, which is an application that runs on the appliance. 
As Figure 2 shows, the UI is intuitive, well laid out, and, frankly, 
very appealing. From here, you can browse for Windows servers and 
desktops in your network and in AD. Using administrator credentials 
(which you supply), you can deploy the Backup Exec agent to them 
from the appliance. The deployment process is fast. If it runs into any 
problems, it provides a wealth of information you can use for trouble¬ 
shooting. A note of caution, though: If you don’t have a healthy AD 
(e.g., have replication problems or tombstoned objects), the appli¬ 
ance will have difficulty discovering, connecting to, and deploying 
the agents. In such situations, you can create accounts on the target 
machines or manually install the Backup Exec agent. 

After the agents are deployed to your servers and desktops, you can 
create backup jobs. You can create a one-off backup job or schedule 
the backup jobs to run regularly. I found that I could do both quickly 
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Figure 2 

Backup Exec Ul 


and easily, without consulting the documentation to figure out how. 
The progress and status of jobs is clearly shown in the interface. 
Restoring folders and hies to servers and desktops is just as simple as 
creating the backup jobs. 

Overall, I found the appliance’s backups and restores to be very 
fast compared with other backup solutions I’ve tried. I attribute this 
to the unique architecture and intelligence built into the Backup Exec 
agent. The agent tracks and records changes to hies as they’re made 
in the hie system rather than scouring every folder and hie during a 
backup, looking for hies that changed. 

Exploring the Enterprise Features 

As I mentioned previously, the Symantec Backup Exec 3600 appli¬ 
ance might be attractive to enterprises as well as SMBs. Although 
designed to work very efficiently in Windows networks that rely on 
AD, it works just as well with standalone machines. It should also 
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Symantec Backup 
Exec 3600 


PROS: Well thought-out 
packaging; small, compact unit 
that's easily expandable; printed 
manuals and all reguired cables 
included in the box 

CONS: Post-installation 
management not clearly 
documented in printed 
materials; assumes Active 
Directory is available and 
healthy; support for non- 
Windows systems not apparent 
and reguires additional steps 

RATING: 

PRICE: Pricing varies depending 
on the configuration; contact the 
vendor for specific pricing 

RECOMMENDATION: 

The Symantec Backup Exec 3600 
appliance is ideal for mid-sized 
businesses and remote offices 
where backup administrators 
need a hassle-free, easy-to- 
deploy, flexible system that can 
be expanded to meet future 
needs. 

CONTACT: Symantec - 
800-745-6054 


work well with Linux and Apple Macintosh OSs with the appropri¬ 
ate clients and agents installed. The appliances themselves can be 
configured to work with tape devices, providing disk-to-disk-to-tape 
(D2D2T) options, and Hierarchical Storage Management (HSM) capa¬ 
bilities (i.e., one appliance manages others). 

The appliance also supports virtualization software. You can back 
up virtual machines (VMs) and even use machine-level backups of 
physical servers or desktops to create VMs that can be restored to 
your virtualization servers. 

Last, but certainly not least, the appliance can be used in branch 
office and workgroup scenarios, where integration into other backup 
regimens is either not possible or not desirable. The appliance’s use 
of RDP to connect to the Backup Exec software makes it simple to use 
and enables it to efficiently use bandwidth. 

Sad to See It Leave 

All-in-all, I was very impressed by the appliance and was somewhat 
sad to have to pack it up and send it back. It could easily have found 
a permanent home in my lab, backing up my machines on a nightly 
basis. The appliance will suit the needs of SMBs, but its powerful fea¬ 
tures can easily be utilized by an enterprise to supplement its backup 
environment and to support branch offices. ■ 
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Enterprise UPS 

Protect your critical data and systems 
against unexpected power outages 


E very IT pro that I know of has several of the same fears: Inter¬ 
net outages, being unable to restore from a backup, servers not 
coming back up after maintenance, and so on. One other item 
that often makes the list but fortunately doesn’t occur too often is a 
power outage. Still, the threat is ever present and almost always hap¬ 
pens without any warning whatsoever. 

Most organizations solve the power outage problem by installing 
an Uninterruptable Power Supply (UPS)—a backup battery. In the 
event of a loss of electricity from the local power company, the UPS 
takes over nearly instantaneously, so the computer that’s protected 
by the UPS isn’t impacted at all. As you can see in Table 1, there are 


Table 1: UPS Solutions 

Vendor 

UPS Solution 

APC 

MGE, Smart-UPS, and Symmetra lines 

Belkin 

Belkin Regulator Pro Net Series UPS 

Clary 

S Series 

CyberPower Systems 

Smart App Series 

Eaton 

Powerware UPS line 

Emerson Electric 

Liebert Rackmount, Network, and Large Facility UPS 

General Electric 

Single Phase UPS and Three Phase UPS 

OPTI-UPS 

Durable Series, Power Series, and Thunder Shield Series 

Smart Power Systems 

SPV-TBF UPS Series and SSP UPS Series 

Toshiba 

Single Phase UPS and Three Phase UPS 

Tripp Lite 

SmartPro UPS and SmartOnline UPS 



Michael 

Dragone 

is a contributing editor for 
Windows IT Pro and a senior 
network engineer. He holds 
MCDST, MCSE: Messaging, 
MCTS, and MCITP credentials 
and remembers when 
Windows IT Pro was called 
Windows NT Magazine. 

Email 



WWW.WINDOWSITPRO.COM 


Windows IT Pro / February 2013 107 







































Market Watch 


A 


many vendors that offer UPSs. You’ll find that the vendors offer a 
wide gamut of protection, from a single desktop computer UPS all the 
way to a site UPS that can protect an entire data center and remotely 
shut down equipment if necessary during an extended power outage. 

Things to Consider When Designing 
a Power Protection Solution 

Although it might be tempting to simply purchase the largest UPS you 
can afford and plug everything into it, some due diligence will help 
your wallet. For example, if you have a generator in addition to a UPS, 
consider how long you’ll have to run on the UPS before the generator 
will be able to take over. You also need to consider how long you’ll 
need to shut everything down if the generator doesn’t start for some 
reason and you remain on UPS power. It’s also helpful to include 
some client machines (such as those used by the IT administrator 
and key operations personnel) in any power protection design. Don’t 
forget about networking gear either—you don’t want to fall off the 
Internet or have your telephones stop working, especially if you have 
VoIP phones that utilize Power over Ethernet (PoE). 

Things to Consider When Selecting a UPS 

There’s plenty to consider when selecting a UPS. After determining 
the type of UPS ( online, line-interactive, or standby ) needed, the prime 
consideration is almost always the runtime available when running 
on battery. If you find a vendor and model line you’re happy with 
but need some extra battery runtime or are concerned about future 
growth, check with the vendor to see if they offer a battery expansion 
module. In some cases, these modules can extend the battery runtime 
by an hour or more. 

Other important considerations include the number of available 
battery-backed outlets versus the number of surge-only protected 
outlets, the input voltage and amps, and the input plug type. You 
won’t be able to connect a 240-volt UPS to an ordinary NEMA 5-15 
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receptacle, for example. Likewise, if your UPS is site-based and not 
a tower or rack-mount model, you’ll need a qualified electrician to 
install the unit. You’ll certainly want to be able to connect to your 
UPS through management software, so pay particular attention to 
the type of connectivity the UPS offers (e.g., serial, USB, Ethernet) 
and if the vendor includes management software or if it’s a separate 
purchase. 

Finally, don’t neglect the “little” details—the UPS unit’s dimen¬ 
sions and weight. Not only will you need to know if the unit will fit in 
whatever space you’ve chosen for it, you’ll want to leave some work¬ 
space around the unit in the event it needs to be serviced for battery 
replacement, air filter changes (if necessary), and so on. 

Maintenance 

Maintenance of your power protection equipment is important. UPS 
batteries need to be tested regularly and replaced every three to five 
years. If you have a larger unit that requires other upkeep (e.g., air 
filter changes), you need to make sure those maintenance items are 
taken care of. If you have a generator, don’t neglect it in favor of the 
UPS or vice-versa. Ideally, your power protection solution will auto¬ 
mate the transfer from utility power to UPS power to generator power 
back to utility power, so you’ll want to ensure that all of the compo¬ 
nents required for thaf to happen are well-serviced. 

Be Prepared 

Although power outages are rare in the United States, Murphy’s Law 
will ensure that the power goes out at the most inconvenient time, 
such as 4:00 p.m. on a Friday or 2:00 a.m. on a Sunday. A well-designed, 
reliable, and tested solution that includes quality UPS hardware will 
mean you only receive a few text messages informing you that your 
backup power is on and functioning, keeping all your critical data 
and systems safe. ■ 
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Stop Procrastinating! 


Product of the Month 

Have you been putting off that next big project? Dextronet.com claims 
to have a piece of software that will crush your procrastination. Swift 
To-Do List 8 is the new version of its organization soft¬ 
ware for Windows. “For the last 7 years, we’ve been 
developing Swift To-Do List with the aim of helping our 
customers eliminate forgetfulness, stress, and feelings of 
overwhelm,” says Jiri Novotny, Swift To-Do List’s chief 
designer. One of the new features is subtasks support, 
which lets you break complex tasks down into small 
action steps. “Procrastination is often caused by a fear of daunting 
tasks. By breaking these complex tasks down, you can greatly decrease 
the likelihood of procrastinating.” You can also “snooze” some tasks 
for a later date, keeping your to-do list short and relevant. “Using such 
a list is more enjoyable and motivating than having the typical nearly 
endless to-do list.” Think a piece of task-management software can 
alter your psychology? Contact Dextronet.com for more information 
about Swift To-Do List. 




Figure 1 : Shall We Put It in the Correct Spot? 


User Moment of the Month 

We had a home-based employee call and say that she 
was having trouble with her “Internet.” She said all she 
ever got was Google, Yahoo!, or something else. All she 
wanted was the Internet—nothing more! —Steve 


Send us your funny screenshots, oddball product news, 
and hilarious end-user stories. If we use your submission, 
you'll receive a Windows IT Pro Rubik's Cube. 


El) Submit 
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